Cookie Consent Banner: are you force-feeding your users?
Earlier in our Data Protection Series, we shared some tips on how to obtain valid consent in accordance with the General Data Protection Regulation (GDPR). Today, we want to explore cookies consent banners in light of the latest Report issued by Cookie Banner Taskforce. The taskforce was established to address concerns about implementing the EU’s ePrivacy Directive, which requires consent for using cookies and similar technologies for storing and accessing the information on a user’s device. The report includes guidelines for using cookie banners, the pop-up notifications that website visitors often see when they first visit a website, asking for their consent to use cookies.
Driven by many complaints received from nyob (the European non-profit privacy rights group), the guidelines aim to ensure that cookie banners comply with the ePrivacy Directive while being user-friendly and not overly intrusive. The Taskforce’s findings should be considered in your privacy assessment, as non-compliance may result in significant financial penalties. The fines for non-compliance can reach up to €20 million or 4% of the annual global revenue of the previous fiscal year, whichever is higher.
When it comes to cookies, you should remember that they can only be set by getting a user’s consent first. This means that organisations must provide clear and concise information about the types of cookies used, and their purpose, as well as to make it easy for users to understand and reject their consent. Additionally, to ensure that consent is given freely, website owners must not design cookie banners that create the impression that consent is needed to access website content or pressure users to consent. This is important to keep in mind to ensure that the consent obtained is active, informed and freely given.
Pre-ticked boxes
Pre-ticked boxes are not allowed when obtaining valid consent for cookies and similar technologies. This means that users must actively select the checkboxes or opt-in buttons for the types of cookies they consent to rather than having them pre-selected by default.
Reject option
Most Data Protection Authorities (DPAs) stated that the absence of a rejection option on the cookie consent banner does not meet the requirements for valid consent and would therefore be considered a violation. However, a few DPAs said they could not consider it a violation because the ePrivacy Directive does not explicitly mention a “reject option” for cookies. This highlights some uncertainty among Authorities on how to interpret the ePrivacy Directive. Still, overall, it is clear that cookie banners that do not provide a way for users to reject/refuse/not consent to cookies are more likely to be considered a violation.
Withdrawal option
The ePrivacy Directive and GDPR require that users can withdraw their consent easily. Different websites may display various options for users to withdraw their consent to use cookies. Some websites may not offer a permanently visible icon that allows users to access their privacy settings and withdraw their consent easily. However, while website owners are required to implement easily accessible solutions, such as a visible icon or link, they cannot be mandated to use a specific solution for withdrawing consent. Each solution will need to be evaluated case by case to ensure that it is as easy to withdraw consent as it is to give it.
Colours and contrasts of the buttons
Another matter to be considered is ensuring that the colour and contrast used in the banner do not mislead users and result in unintended consent. The task force has stated each case must be evaluated individually – there is no standardised and set approach. They have also provided examples of practices that they consider misleading, such as when an alternative action, other than granting consent, is offered in a button. Still, the contrast between the text and the button background is so minimal that the text is unreadable to virtually any user.
Essential cookies
They also noted some controllers classify certain cookies and operations as “essential” or “strictly necessary” when they do not meet the criteria outlined in the legislation. The taskforce has acknowledged that determining which cookies are essential can be challenging, mainly because the features of cookies often change. It can be difficult to establish a reliable list of essential cookies. To address this, the taskforce discussed the potential use of tools to identify the cookies used by a website, as well as the responsibility of website owners to maintain and provide these lists to authorities when requested and demonstrate the “essentiality” of the cookies listed.
Legitimate interest
Legitimate interest is often used for cookies that are necessary for basic website functions. However, some organisations have tried to use legitimate interest for cookies used for personalised advertising, which various data protection authorities have rejected. Some cookie consent mechanisms use ambiguous language about legitimate interest, leading users to believe they must consent to all cookie usage. This can result in the website relying on legitimate interest for non-essential data processing, which is not in compliance with GDPR.
In light of these recent developments, organisations need to review their cookie policies and ensure that they comply with the guidelines provided in the report. Our law firm can assist you in reviewing your cookie policies and guide how to obtain valid consent for cookies and similar technologies.
Conclusion
If you are unsure about your cookies practices or whether your website complies with the GDPR, feel free to book a free 20-minute consultation with our data protection lawyer.
