Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

Designing Cookie Banners

The European Data Protection Board’s Cookie Banner Taskforce recently published a draft report containing recommendations on how to design and use cookie banners. The report is important as it provides guidance on issues such as reject buttons, pre-ticked boxes, banner design, and withdrawal of consent. Our Privacy & Data Security team provides a summary of the Taskforce’s findings.

In September 2021, the European Data Protection Board (EDPB) set up a Cookie Banner Taskforce (Taskforce) to coordinate the response to several hundred complaints made to data protection supervisory authorities (SAs) by the NGO NOYB concerning the design and characteristics of cookie banners.

The objectives of the Taskforce are to promote cooperation, information sharing and best practices. On 18 January 2023, the Taskforce published its draft report on work undertaken to date. In the report, the SAs agreed on an interpretation of the applicable provisions of the ePD and GDPR to the design of cookie banners.

If your organisation uses cookies on its website or app, the report is important as it provides guidance on issues such as reject buttons, pre-ticked boxes, banner design, and withdrawal of consent. We outline the key takeaways from the report below.

The rules – the ePrivacy Directive and GDPR

The Taskforce stated that the applicable legal framework for cookies is only the national law of each Member State which transposes Article 5(3) of the ePrivacy Directive (ePD) and that the one stop shop mechanism does not apply.

However, in relation to any processing of data which takes place after gaining access to or storing information on a user’s device, the Taskforce reminds stakeholders that the GDPR applies. So for processing of data collected via cookies to be lawful it requires that:

  1. The storage/gaining of access to information through cookies is done in compliance with Article 5(3) ePD (and the national implementing rules), and
  2. Any subsequent processing to be done in compliance with the GDPR

The Taskforce also emphasises that the ePD’s reference to consent includes both a reference to the definition of consent per Article 4 GDPR as well as to the conditions for consent in Article 7 GDPR.

Strictly necessary/essential cookies

The Taskforce observed that some controllers incorrectly classify cookies as “strictly necessary” despite the purpose for which such cookies are used not meeting the requirements of that exception.

By way of reminder, in order to rely on the “strictly necessary” exception, a cookie must pass two tests:

  1. The ‘information society service’ has been explicitly requested by the user, and
  2. The cookie is strictly needed to enable the ‘information society service’: if cookies are disabled, the service will not work

Based on previous regulatory guidance, the following purposes are generally viewed as benefiting from the strictly necessary exception:

  • First party session cookies which support user input or authentication
  • Limited user interface customisation cookies, for basic functions like language preference
  • User-centric security cookies: Accepted market practice is that first-party security cookies can rely on the strictly necessary exemption but third-party security cookies are not afforded the same benefit, and
  • Multimedia player session cookies used to store technical data needed to play back video or audio content

Designing cookie banners

Following a coordinated review of several cookie banners which were the subject of complaints, the Taskforce provided the following commentary on various design aspects of cookie banners:


Taskforce Commentary

No “reject” button on the first layer

The Taskforce noted that the “vast majority” of SAs agreed that not having a “reject” button on any layer of the cookie banner which has a “accept” option is not in line with requirements for valid consent.

However, there continues to be divergence on this issue as the Taskforce also indicates that a “few” SAs considered that there cannot be infringement for failing to have a “reject” button as the ePD does not explicitly mention a “reject option” to the deposit of cookies.

Pre-ticked boxes

The Taskforce remind stakeholders that pre-ticked boxes (either in the first or second layer of the cookie banner) do not constitute valid consent.

Link Designs

In order for consent to be freely given, a website owner must not design its cookie banners in a way that gives users the impression that they have to give consent to access the website or which clearly pushes the user to give consent. Rather for consent to be valid, the user should be able to understand what they consent to and how to do so.

The Taskforce note that the practice of using a hyperlink in the cookie banner for the reject option as opposed to a button could be deceptive. By way of example, the Taskforce indicate that in the absence of sufficient visual support to draw a user’s attention to a method for refusal, the following do not lead to valid consents:

  • Providing a hyperlink behind the words “refuse” or “continue without accepting” in a paragraph of the cookie banner; and
  • Providing a hyperlink behind the words “refuse” or “continue without accepting” placed outside the cookie banner.

Deceptive Button Colours and Deceptive Button Contrast

The Taskforce observe that design choices in respect of colour and contrast can mislead users and result in the unintentional giving of consent.

It is recommended that website operators avoid using colours or contrast ratios which highlight the “accept all” button over other available options. For example, it is manifestly misleading for users where the contrast between the “reject” button and background of the cookie banner is so minimal that the text is unreadable to the user.

Legitimate interests claimed

The Taskforce confirm that the “legal basis for the placement/reading of cookies pursuant to Article 5 (3) cannot be the legitimate interests of the controller”.

The Taskforce also comment that language around “legitimate interests” and making a distinction between refusal of consent and the potential to object to further processing based on legitimate interests in the cookies banner could be considered confusing for users.

No withdraw icon

The Taskforce recommend that website owners should put in place easily accessible solutions that allow users to withdraw their consent to the use of cookies at any time. For example, by using a small hovering and permanently visible icon or via a link placed in a visible and standardised place.

What next?

The Taskforce’s interpretation of these design issues provides helpful clarification for website and app operators. The timing of the draft report also indicates that enforcement of cookies rules remain high on the agenda for SAs in 2023.

For more information or for advice on steps your organisation can take to comply with the ePD going forward, please contact a member of our Privacy & Data Security team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Share this: