The Swedish Post and Telecom Authority (“PTS”) has finally found their sweet tooth for cookie rules. For the first time ever, the PTS has notified four Swedish authorities and companies that their websites do not comply with the rules on cookies. In the light of this, we have put together a checklist demonstrating how to build a compliant cookie banner for your website or app.
The PTS has stated that it must be equally simple for users to consent to cookies as it is to refuse non-essential cookies. A cookie banner is insufficient if it only has an “Accept Cookies” or a “Manage Cookies” option, as this requires users to click “Manage Cookies” to access a second layer of the banner, where they can choose which cookies they agree to. Users must be able to refuse non-essential cookies at the same time and in the same view as they can consent to them, and it shouldn’t require more keystrokes.
According to the PTS, users must actively consent to cookies. This means that consent cannot be given by the mere usage of a website, or the absence of a rejection to cookies. Consent must be explicit. A cookie banner is insufficient if users are expected to consent to cookies by clicking on an option that says, “I understand”. Lastly, consent must be unconditional. It is not allowed to condition access to services on a website by requiring that users consent to non-essential cookies. This means that it is not allowed to block an entire website with a cookie wall, that makes the website unavailable until consent to non-essential cookies is given.
The PTS has stated that users cannot give an informed consent, if they do not know which cookies are being used, what processing they perform and what their purpose is. Clear and complete information on this must be provided in a user-friendly way, before users give their consent. A brief description should be included in the first layer of the cookie banner, and a more detailed description should be given in a second layer of the cookie banner and in a privacy policy. It is insufficient if this information only is accessible by clicking a link in the first layer of the cookie banner, which leads to a privacy policy and/or a webpage about cookies.
An informed consent also assumes that users have been informed that they have a statutory right to withdraw their consent at any time. This information must be given in connection with and in the same view where consent is obtained.
According to the PTS it should be equally simple for users to withdraw their consent as it was to give their consent. In three of its recent supervisory notifications, the PTS assessed whether the two options were equally accessible by comparing keystrokes required to locate them and their placement on the website. In all three cases, users could give their consent by clicking a directly visible cookie banner once, but they had to look for a “Cookie Policy”-link, or similar, in the footer of the website, and then take two or three steps to reach the consent withdrawal option. The PTS notified all three website owners that they had to make the consent withdrawal option equally accessible, and that it must be directly accessible on all webpages of the website.
The PTS has stated that users might get the faulty impression that they must consent to non-essential cookies if the overall design makes the “Accept Cookies”-button appear as default, for example by the use of colour. This should not be interpreted as a ban on using certain colours or layouts, but it emphasises that the design of your cookie banner should be user-friendly and neutral. This is in line with the PTS general advice on cookies, in which they state that users for example shouldn’t have to untick boxes to refuse cookies, as this makes consent appear as default.