<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

EDPB Provides Opinion on Draft Principles of Voluntary Cookie Pledge

Stack of chocolate chip cookies against dark blue background

On March 28, 2023, during the European Consumer Summit in Brussels, the European Commissioner for Justice and Consumers, Didier Reynders, announced the intention of the European Commission to reflect on and initiate a comprehensive exploration aimed at empowering consumers to make informed choices in the realm of tracking-based advertising models.

The initiative took shape through collaboration with relevant stakeholders, whose main objective was to develop voluntary solutions that would be able to effectively address consumer concerns related to cookies and targeted advertising. During the first roundtable discussion, held on April 28, 2023, the participation of EU-level trade entities, consumer associations, and global businesses exclusively was welcomed, with national trade associations or businesses excluded due to logistical constraints.

Following this first roundtable discussion, three working groups were created with pledge participants being encouraged to contribute written insights, engage in discussions, and actively partake in formulating pledge principles. In July 2023 meetings of the working groups revealed a need for further contemplation, which resulted in technical meetings being held in October 2023 to address specific issues. Key focus areas included enhancing consumers' understanding of various advertising models and understanding the implications for their privacy preferences. Additionally, the feasibility of alternative advertising models was scrutinized.

Eight draft pledge principles were created following this work, as outlined below: 

Draft Principle A. The consent request will not contain information about the so-called essential cookies nor the reference to the collection of data based on legitimate interest.

Draft Principle B. When content is financed at least partially by advertising it will be explained upfront when users access the website/app for the first time.

Draft Principle C. Each business model will be presented in a succinct, clear and easy to choose manner. This will include clear explanations of the consequences of accepting or not-accepting trackers.

Draft Principle D. If tracking based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less privacy intrusive form of advertising.

Draft Principle E. Consent to cookies for advertising purposes should not be necessary for every single tracker. For those interested, in a second layer, more information on the types of cookies used for advertising purposes should be given, with a possibility to make a more fine-grained selection.

Draft Principle F. No separate consent for cookies used to manage the advertising model selected by the consumer (e.g. cookies to measure performance of a specific ad or to perform contextual advertising) will be required as the consumers have already expressed their choice to one of the business models.

Draft Principle G. The consumer should not be asked to accept cookies in one year period of time since the last request. The cookie to record the consumer’s refusal is necessary to respect his/her choice.

Draft Principle H. Signals from applications providing consumers with the possibility to record their cookie preferences in advance with at least the same principles as described above will be accepted.

On December 13, 2023, the EDPB’s Chair, Anu Talus, sent the EDPB’s opinion on the draft principles, saying that “the EDPB welcomes the Commission’s initiative to gather stakeholders and promote discussions and exchanges of views on the use of cookies and any other systems used for tracking users’ online navigation” and that it “supports actions that aim at simplifying the management by users of cookies and personalised advertising choices and empowering users’ control over their personal data and privacy, in compliance with the GDPR and the ePrivacy Directive.” However, Talus wrote, “while voluntary commitments may be a useful tool, the pledging principles should by no means be used to circumvent legal obligations” and “undertaking voluntary commitments does not equate or guarantee compliance with the applicable data protection and privacy framework.”

As regards the draft pledge principles, the EDPB commented as follows: 

Draft Principle A: The European Data Protection Board (EDPB) recommends informing users about the processing of personal data, including for "strictly necessary" cookies exempt from consent. Detailed information on these cookies should be separate from the consent request, aligning with GDPR guidelines. The term "essential cookies" is advised to be changed to "strictly necessary." The EDPB suggests excluding references to data collection based on legitimate interest in cookie banners and emphasizes that consent under GDPR Article 6(1)(a) is the preferred legal basis for post-access processing. Implementing these recommendations ensures compliance and clarity in privacy practices.

Draft Principles B, C, and D: The European Data Protection Board (EDPB) endorses draft principles for transparent business models and non-intrusive advertising, emphasizing compliance with the ePrivacy Directive. Valid consent, in line with the GDPR and the ePrivacy Directive, is highlighted, stressing factors like balance of power, granular consent, and information provision. The EDPB advises including contextual advertising in the pledge principles and looks at business models beyond behavioral advertising. It recommends clarifying that certain ad-supported services are not fee-based. The EDPB refers to the Digital Markets Act and advocates a case-by-case analysis for valid consent, considering user options. It notes the multifunctionality of cookies and recommends “that the draft principles reflect the need for a case-by-case analysis of whether consent is freely given and valid, taking into account the different options provided to the user. For the sake of completeness, the EDPB also recalls that cookies may serve multiple functions, beyond the implementation of a business model. The EDPB therefore recommends that the first sentence of draft principle C be amended to indicate that ‘cookies may be used to implement a business model.’ ”

Draft Principle E: The EDPB’s opinion looks at the application of Draft Principle E concerning the requirements of valid consent and emphasizes that valid consent should be freely given and specific, particularly when dealing with cookies. It recommends including an explicit option for users to "reject" non-essential cookies on the initial banner layer, alongside any "accept" button. Additionally, it stresses the importance of informing users about the identity of the data controller, the type of information involved, and the purpose of data access or storage. The EDPB acknowledges the possibility of consenting to cookies for a broader advertising purpose while allowing more granular choices on a second layer. However, it cautions against an excessive number of partners, emphasizing the need for necessity, proportionality, and clarity in obtaining consent. Finally, the EDPB proposes specifying the identity of actors accessing/storing information and discourages presenting users with a list of potential actors during the consent process.

Draft Principle F: The EDPB’s opinion emphasizes that compliance with data protection rules requires obtaining precise and separate consent for specific processing purposes. The opinion stresses the need for clear communication regarding technical processing operations, such as using cookies for advertising, to ensure user awareness. The EDPB recommends refining language related to advertising models, specifically focusing on obtaining consent for cookie usage within a defined advertising model for clarity and compliance with Article 5(3) of the ePrivacy Directive.

Draft Principle G: Draft Principle G focuses on capturing a user's refusal or withdrawal of consent, with the EDPB suggesting clarification for better understanding. The EDPB acknowledges the need to record such decisions for a specified period, proposing a one-year duration to minimize excessive consent requests. Additionally, the EDPB emphasizes the importance of detailing "negative consent" recording, particularly for cookies, suggesting the use of generic information instead of unique identifiers. The EDPB highlights the potential deletion of consent records by users and recommends prompting new consent requests when necessary. Gatekeepers under the Digital Markets Act are reminded of existing rules on prompting users for consent in specific scenarios.

Draft Principle H: The EDPB recognizes software's role in empowering users to protect their devices, advocating for default data protection in apps. It supports draft principle H for users to express refusal through software settings, aiming to reduce cookie fatigue. However, caution is advised for obtaining affirmative consent, emphasizing the need for active, specific, and informed choices. The EDPB highlights the lack of assessment on current software settings for cookie consent validity. Lastly, it asserts that privacy laws shouldn't undermine individuals' preferences to reject specific ad models.

The next steps will consist of work done by the Commission together with stakeholders to further develop and finetune the principles, including in light of the EDPB’s opinion. The goal is for these to be completed sometime in January 2024 and then be presented in their final version in April 2024 at the Consumer Summit. 

How can Clym help?

Clym helps to keep your website compliant with GDPR requirements, as well as 40+ other global regulations. Clym offers the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • Ready Compliance: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.