The European Data Protection Board (EDPD) has released a new set of examples of non-compliant practices to help website managers ensure they are in compliance with the General Data Protection Regulation (GDPR).
Photo: Autorité de protection des données
Further to the report adopted by the EDPD on the work undertaken by the Cookie Banner Task Force a few weeks ago, the EDPD has now published examples of non compliant practices to better assist website managers in attaining compliance. In response to the EDPD’s publications, the French Data Protection Authority,
“strongly encourages organizations to review their cookie banners in light of the recommendations contained in the report.”
This report is the outcome of collaboration between the various European data protection agencies, which was put up to address complaints the NOYB organization received over cookie banners.
The research includes a number of widespread practices noticed on cookie banners of websites operating in the European region and assesses whether they comply with the various standards that are in force (in particular: the ePrivacy Directive, and the GDPR). It might be possible to use it as guidance for website and application managers when asking for the user’s permission to read or store cookies (and/or other equivalent technologies) on their device.
The report examines, among other things, the following practices:
- The pre-checked boxes. Regardless of the level of the banner in which the checkbox is featured, pre-checked boxes do not represent a legitimate permission within the meaning of the GDPR or ePrivacy.
- Misleading design. The taskforce called attention to many misleading banner layout practices.
- The legitimate interest. Some websites process data further after placing or reading cookies based on legitimate interest rather than user consent. The paper reminds readers that the mere storing or reading of cookies cannot be justified by legitimate interest, and that any further processing that results from those actions must also be compliant with the GDPR.
- The absence of a “refuse all” button at the same level as the “accept all” button. Most data protection agencies, including ODA, viewed this as a breach and believed that users of websites should have access to the choice of allowing or disabling the deposit/reading of cookies on their devices.
The ODA wants to remind readers that the GDPR and Article 5.3 of ePrivacy have a wide application and apply to a variety of technological platforms (such as, among other things, the use of “local storage”).
She also draws attention to the fact that the study simply provides examples of blatant infractions, without going farther. Therefore, it cannot be assumed that any behavior that is not specified in the report will automatically abide by the laws currently in effect.
Visit the EDPB website to read the entire report.
Organizations are strongly urged by the ODA to review their cookie banners in light of the report’s recommendations.
