Summary of EDPB comments on the Commission’s draft pledges principles regarding cookies
I – Background:
The Commission previously launched a reflection on how to better empower consumers to make effective choices regarding tracking-based advertising models. As part of this work, the Commission announced its intention to work together with relevant stakeholders on voluntary solutions that could address consumer issues related to cookies and targeted advertising.
A first draft of pledge principles was communicated to the EDPB on 10 October 2023. The EDPB expressed its comments on the pledged principles on a letter dated 13 December 2023 and published on 19 December 2023. Below is the summary of the EDPB’s comments.
II – Summary of the EDPB’s comments
Draft Principle A: Information Regarding ‘Essential’ Cookies
- Principle: “The consent request will not contain information about the so-called essential cookies nor the reference to collection of data based on legitimate interest.”
- EDPB comments:
- The EDPB recalls the need, under the GDPR, to inform users about personal data processing in terminal equipment, regardless of consent requirements under the ePrivacy Directive.
- However, it agrees that detailed information about essential cookies should be presented distinctly from the consent requests and information on non-essential cookies – for example via a link on the first layer of the cookie banner redirecting to the relevant section in the privacy policy, or to a second layer.
- Regarding legitimate interests, it agrees that this should not be referred to in the cookie banner, as it is not a legitimate legal basis under the ePrivacy Directive. The EDPB also recalls its previous remark that “consent. . .will generally be the most adequate legal basis for the processing of personal data that takes places after access or storage thereof in terminal equipment based on consent under the ePrivacy Policy.” See e.g. EDPB Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications, adopted on 9 March 2021, paragraphs 14-15.
Draft Principles B, C, and D: Transparency re. Business Models and Consent
- Principles:
- B: “When content is financed at least partially by advertising it will be explained upfront when users access the website/app for the first time.”
- C: “Each business model will be presented in a succinct, clear and easy to choose manner. This will include clear explanations of the consequences of accepting or not-accepting trackers.”
- D: “If tracking based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less privacy intrusive form of advertising.”
- EDPB comments:
- The EDPB supports the goal of enhancing transparency and promoting less intrusive advertising models. However, it warns that information about business models may not substitute information obligations regarding access or storage in the terminal equipment and on the processing of personal data.
- Re. draft principle B, the EDPB considers that it should also refer to business model using contextual advertising, which may also involve the accessing or storing of information on the terminal device. Contextual advertising should also be included in draft principles C and D as an example of less privacy intrusive form of advertising.
- The EDPB also recommends that the draft principles reflect the need for a case-by-case analysis of whether consent is freely given and valid, notably where a pay wall is used by controllers. While noting the need for such a case-by-case analysis, the EDPB states that it considers relevant for such an analysis the existence of an alternative with a less privacy intrusive form of advertising, such as contextual advertising.
Draft Principle E: Requirements of Valid Consent
- Principle: “Consent to cookies for advertising purposes should not be necessary for every single tracker. For those interested, in a second layer, more information on the types of cookies used for advertising purposes should be given, with a possibility to make a more fine-grained selection.”
- EDPB comments:
- The EDPB first recommends that, at a minimum, the principles should clarify that if an “accept” button is present, a “reject” button should also be available, emphasizing the user’s ability to make an informed choice. The EDPB also recalls that users must be informed about identity of the controllers for consent to be valid.
- The EDPB agrees that it is possible to consent to cookies for a specific advertising purpose without necessarily requiring users to separately consent to every single tracker or partner in the first layer. However, the EDPB notes that it would be “unlikely that the use of a very large number of partners for a single purpose would meet the requirements of necessity and proportionality and consent would therefore unlikely be valid.” As such, it recommends clarifying in the principle that it may be more difficult for consent to be informed and unambiguous if the number of partners is increasing.
- The EDPB considers that users should also be informed on the identity of actors that actually access or store information on their terminal equipment, and not merely a list of potential actors.
Draft Principle F: Specific Purpose of Consent
- Principle: “No separate consent for cookies used to manage the advertising model selected by the consumer (e.g., cookies to measure performance of a specific ad or to perform contextual advertising) will be required as the consumers have already expressed their choice to one of the business models.”
- EDPB comments:
- The EDPB recommends clarifying that consent is given for the use of cookies for a specific model or advertising, and not to the model of advertising itself.
- The EDPB also recalls that purposes should not be combined. It gives two examples: use of cookies for frequency capping or measuring the effectiveness of ad campaigns are intrinsically linked to the online advertising purpose and could therefore be subject to one single consent. However, consent for use of cookies for specific online advertising purposes cannot extend, for example, to the collection of email addresses of a website to send marketing emails.
Draft Principle G: Recording Refusal or Withdrawal of Consent
- Principle: “The consumer should not be asked to accept cookies in one year period of time since the last request. The cookie to record the consumer’s refusal is necessary to respect his/her choice.”
- EDPB comments:
- The EDPB first notes that its understanding of the principle is that it is limited to the recording of the user’s refusal to, or withdrawal of, consent (i.e., not recording acceptance).
- The EDPB believes that the one-year period is adequate in order to reduce the frequency of consent requests.
- The EDPB also clarifies that the cookies used to record refusal or withdrawal should not contain a unique identifier, but rather mere generic information (flag or code) common to all that have refused or withdrawn consent. In case cookies to records such refusal or withdrawal is deleted by the user (e.g., chance in technical settings of the browser), the EDPB considers it reasonable for controller to prompt users with a new consent request.
- The EDPB also recalls that, under the DMA, controllers that are gatekeepers are already subject to similar rules.
Draft Principle H: Empowering Users Through Software Settings
- Principle: “Signals from applications providing consumers with the possibility to record their cookie preferences in advance with at least the same principles as described above will be accepted.”
- EDPB comments: For the EDPB, relying on software settings expressing the user’s refusal of cookies could help reduce cookie fatigue. On the other hand, it considers that relying on such software to express the user’s affirmative consent should be carefully considered, notably as it should be ensured that the software allows a sufficient level of granularity, specificity and information for consent to be valid.