One of the main criticisms of the EU’s General Data Protection Regulation (GDPR) is that it has led to a plague of annoying pop-ups and web pages demanding permission to use cookies to continue one’s online activities.
What many people don’t understand is that sites often make these irritating requests voluntarily, in order to get visitors to quickly agree without looking at the details to override.
Many of these « cookie walls » are illegal under the 2002 ePrivacy Directive, which was written in response to the growing problems caused by cookie use 20 years ago.
As « cookie walls » remain a major problem, a European working group on cookie banners was created in 2021.
Its first report has just been published, and while it lists the main problems with cookie banners, it fails to make clear recommendations for action.
The report states that the relevant law is the Privacy Directive, but that certain concepts in the GDPR (e.g., the conditions for valid consent and the right to information) are essential to assess whether or not there is a violation of the national law transposing the Directive.
It addresses specific aspects of cookie banners, including opt-out buttons, pre-ticked boxes, banner design and opt-out icons.
It also addresses the intriguing area of « dark patterns » – aspects of the user interface designed to trick or even deceive users into doing things they would not otherwise choose to do.
While it’s good news for privacy that the EDPB recognizes and lists the various problems associated with illegal cookie requests, it may seem disappointing that its recommendations for combating them are not stronger and more explicit.
The report concludes by noting that potentially abusive approaches must be judged on a « case-by-case basis » – which means we can expect many more complaints and decisions in this area.
