Cookie consent banners are a feature of websites that inform website visitors of the cookies or trackers that may be placed on that user’s device and ask users to consent to such cookies.
There are hundreds of cookie consent banner designs, ranging from asking a user to accept or deny cookies to stating, “by using this website, we assume that you are ok with cookies.”
When it comes to these banners, you must follow a particular set of rules to be compliant, so in this case, the banner design is extremely important.
In this article, we will discuss the basics of cookie consent banners and the recent report of the European Data Protection Board Task Force so that you can be confident in your cookie consent banner.
Cookie Consent Banner Basics
First, not all websites are required to have a cookie consent banner. Your website will need to have one if you need to comply with the ePrivacy Directive, the General Data Protection Regulation (GDPR), the United Kingdom Data Protection Act 2018 (UK DPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), or the California Privacy Rights Act (CPRA).
Read More: SIX Privacy Laws Going to Effect in 2023
It is important to note that the CPRA requirement differs from the rest as its purpose is to allow website visitors to opt out of sales of personal information, which is sometimes, but not always, related to cookies.
To keep things simple, this article will not focus on the CPRA but will instead focus on the requirements of the other privacy laws.
The purpose of the cookie consent banner is to control any cookies that are not necessary to the operation of the website.
Examples of cookies that require the user’s consent, and thus the cookie consent banner, include functional, marketing, and advertising cookies such as Facebook pixel, Google Analytics, and YouTube video cookies.
The cookie consent banner must prevent these cookie scripts from firing until the user consents to the cookies.
Non-compliance Example 1: No Deny Option
To comply, a cookie consent banner must obtain the user’s consent to place certain cookie scripts on that user’s device.
Consent is a freely given, specific, informed, and unambiguous indication of the individual’s wishes by which they signify the agreement with a clear statement or an explicit affirmative action.
As such, cookie banners must have an “accept” and a “deny” option. Thus, cookie consent banners that only offer an “accept” or “ok” or just an exit button are not compliant.
In fact, after polling Data Protection Authorities, the Task Force found that “a vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement.”
Thus, to avoid non-compliance fines, it is best to choose a design that allows users to accept or deny cookies.
Non-compliance Example 2: Pre-ticked Boxes
Consent to cookies must be a clear and affirmative act. Multiple privacy laws state that silence, pre-ticked boxes, or inactivity do not constitute consent.
In line with this explanation, the Cookie Task Force found that any banners with pre-ticked boxes for non-essential cookies on any layer of the cookie consent banner (especially when users want to change their settings after they consented) are not compliant as they cannot gather proper consent.
Non-compliance Example 3: Links Instead of Buttons
We discussed privacy by design before, and this example perfectly illustrates how seemingly innocuous design choices can become privacy violations.
The Cookie Task Force found that some cookie consent banners contain a link instead of a button as the “reject” option. If the user clicks on that link, they are taken to a secondary page explaining cookies and asking them to either accept or reject the cookies.
The Task Force found that this practice is confusing to users and pushes users to give consent, thereby making it non-compliant.
Non-compliance Example 4: Deceptive Colors
Certain cookie consent banners will offer the “accept” button in a pleasant green color and the “deny” button in a scary red color, or display “accept” in all caps and the deny in a color that has very low contrast compared to its background color.
While the Task Force found that each banner must be evaluated on a case-by-case basis, colors and contrasts should not be misleading to users.
The Task Force stated that, at the least, the contrast should be such that all options are easily readable to the individual.
Non-compliance Example 5: Legal Basis
To process personal data under GDPR and the UK DPA, the data processor must have a legal basis for doing so. Data processors can choose from the following legal bases:
- The individual has consented to the processing of their personal data;
- Processing is necessary for the performance of a contract or to take steps to enter into a contract;
- Processing is necessary for compliance with a legal obligation;
- Processing is necessary in order to protect the vital interests of the individual or of another person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by a controller or a third party.
The Task Force found that “legitimate interests” is not an appropriate legal basis for the processing of personal information for the purpose of targeted advertising.
In addition, a recent case by the Irish Data Protection Commission fined Meta 390 million euros for using the contract’s legal basis to process personal data for the purpose of advertising.
Thus, it is important that you define the appropriate legal basis for such processing in your cookie consent banner or privacy information.
Non-compliance Example 6: Incorrect Classification of Cookies
As stated before, the purpose of the cookie consent banner is to gather consent for non-essential cookies. The Cookie Task Force found that some companies incorrectly classify cookies as essential so that consent does not need to be obtained for those cookies.
The Task Force stated that it is difficult to classify cookies accurately but stated that essential cookies are “cookies without which the website will not work.” It is imperative to classify cookies correctly, as collecting non-essential cookies without consent is not compliant.
Non-compliance Example 7: No Withdraw Icon
One of the defining elements of consent is that it can be withdrawn, and withdrawal of consent should be as easy as it was to provide consent.
The Task Force found that some websites only provide the cookie consent banner, and once the individual has consented to the cookies, an option to withdraw that consent is not provided.
The Task Force stated that websites should have easily accessible solutions for individuals to withdraw their consent at any time, such as through an icon or a link placed in a visible and standardized place.
Non-compliance Example 8: Placebo Cookie Consent Banners
While the Task Force did not specifically mention this example, it is important to note that some cookie consent banners do not actually work.
This means that they allow all cookies by default (without the user interacting with the banner), enable cookies even though the individual clicked “reject,” or do not allow the user to interact with the cookie consent banner at all.
These banners are termed “placebo banners” as they make it seem like the user’s privacy is being respected without actually doing so.
You should ensure that your cookie consent banner blocks all non-essential cookies by default and enables them only if the user has actually consented to those cookies.
The above list of examples demonstrates that not all cookie consent banners are created the same and that not all are compliant.
When choosing a cookie consent banner for your website, keep the above examples in mind and avoid the non-compliant ones to avoid privacy law violations and fines.
