Cookie consent banners that use blatant design tricks to try to manipulate web users into agreeing to hand over their data for behavioral advertising, instead of giving people a free and fair choice to refuse this kind of creepy tracking, are facing a coordinated pushback from the European Union’s data protection regulators.
A taskforce of several DPAs, led by France’s CNIL along with Austria’s authority, has spent many months on a piece of joint-work analyzing cookie banners. And in a report published this week they’ve arrived at some consensus on how to approach complaints about certain types of cookie consent dark patterns in their respective jurisdictions — a development that looks set to make it harder for deceptive designs to fly around the EU.
The taskforce was convened in response to hundreds of strategic complaints, filed between 2021 and 2022 by the European privacy rights group, noyb — which developed its own tool to help automate analysis of websites’ cookie banners and generate reports and complaints (a smart trick by a small not-for-profit to scale its strategic impact).
Cookies and other tracking technologies fall under the EU’s ePrivacy Directive, which means oversight of cookie banners is typically decentralized to regulators in Member States. That in turn means there can be varying applications of the rules around the bloc, depending on where the website in question is hosted. (Regulators in some Member States, for example, allow news sites to offer users a choice between accepting ad tracking to gain (free) access to the content or paying for a subscription to get access without tracking — although such ‘cookie consent paywalls’ remain controversial and are unlikely to pass muster with every DPA.)
Given the degree of consensus reported by the taskforce, it suggests there will be some harmonization in how DPAs enforce complaints related to the design of cookie consent banners — with, for example, the vast majority of authorities agreeing that the lack of a ‘refuse all’ option at the same level as an ‘accept all’ button is a breach of ePrivacy. So more enforcement against sites that try to bury an option to refuse tracking looks likely.
The taskforce also agreed that consent flows which feature pre-checked options (i.e. as another tactic to try to nudge agreement) is not valid consent either — which should surprise no one given Europe’s top court already clarified a need for active consent for tracking cookies all the way back in 2019.
Over the past five or so years, since another EU law came into application bolstering the rules around consent — namely the General Data Protection Regulation (GDPR) — DPAs have certainly been paying more attention to cookie consents. Including as complaints over how routinely the rules were being flouted piled up.
This in turn has led many to update (and tighten) their guidance on this issue — making it harder for sites to claim the rules around tracking consent are unclear.
Enforcements have also been picking up, with certain watchdogs being very active — such as France’s CNIL which, since 2020, has fined a raft of tech giants (including Amazon, Google, Meta, Microsoft and TikTok) for a variety of cookie-related breaches, including multiple enforcements (and fines) over the use of dark patterns to try to manipulate consent.
The CNIL’s enforcement activity has also featured corrective orders that have helped forced some major design changes — including Google revising the cookie banner it displays across the whole EU last year to (finally) feature a top-level ‘refuse all’ option. Which is quite the win.
And given the CNIL has had a leading role in coordinating the taskforce’s work, it appears that some of its convention is rubbing off on fellow DPAs.
In a press release to accompany the European Data Protection Board’s adoption of the taskforce’s report earlier this week and summarize the outcome, the French regulator writes: “This report notably states that the vast majority of authorities consider that the absence of any option for refusing/rejecting/not consenting cookies at the same level as the one provided for accepting their storage constitutes a breach of the legislation (Article 5(3) of the ePrivacy Directive). The CNIL had already taken such a position in its guidelines and in the context of several sanctions,”
As well as agreement on the need for an ‘accept all’ button to be accompanied by a ‘refuse all’ one, the taskforce agreed that the design of cookie banners needs to provide web users with enough information to enable them to understand what they are consenting to and how to express their choice.
And that cookie banners must not be designed in such a way as to give users “the impression that they have to give a consent to access the website content, nor that clearly pushes the user to give consent”, as the report puts it.
They also agreed on some examples of cookie designs that would not lead to valid consent — such as where the design is such “the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action”; or where “the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame”.
So basically they got some consensus on ruling out certain common cookie banner dark patterns.
But on visual tricks — such as the use of highlight colors which might be selected to draw the eye to an ‘accept all’ button and make it harder to see a refuse option, the taskforce decided that case-by-case analysis of the look and feel (and the potential for these kind of design choices to be obviously misleading) would be needed in most cases. And they agreed it’s not their place to impose a general banner standard (vis-a-vis colour and/or contrast) on data controllers.
They also agreed that refuse all buttons that are designed in such as way as to render the text “unreadable to virtually any user” could be “manifestly misleading” for users.
Other issues the taskforce grappled with included a more recent addition to cookie consent hell — in which sites may seek to (also) to claim a “legitimate interest” for ads processing. Sometimes adding a bunch of additional toggles alongside the consent legal basis buttons that are typically displayed only in a secondary (or other sub-menu), and where the top level does not offer a ‘refuse all’ option — instead requiring users to click through into settings to unearth this confusing mess of toggles (sometimes with the LI ones pre-checked).
“The integration of this notion of legitimate interest for the subsequent processing ‘in the deeper layers of the banner’ could be considered as confusing for users who might think they have to refuse twice in order not to have their personal data processed,” the report observes on this.
The taskforce also agreed on how regulators should determine whether any subsequent processing based on cookies is lawful — saying this would entail determining whether “the storage/gaining of access to information through cookies or similar technologies is done in compliance with Article 5(3) ePrivacy directive (and the national implementing rules) — any subsequent processing is done in compliance with the GDPR. 24”.
“In this regard, the taskforce members took the view that non-compliance found concerning Art. 5 (3) in the ePrivacy directive (in particular when no valid consent is obtained where required), means that the subsequent processing cannot be compliant with the GDPR 5. Also, the TF members confirmed that the legal basis for the placement/reading of cookies pursuant to Article 5 (3) cannot be the legitimate interests of the controller,” they add in the report.
Although they appear to have largely reserved judgement on how to handle the fresh scourge of LI toggles appearing in cookie consent flows — saying they “agreed to resume discussions on this type of practice should they encounter concrete cases where further discussion would be necessary to ensure a consistent approach”.
The working group also discussed what to do about sites that seek to classify some non-essential data processing as strictly necessary/essential — and thereby bundle it into a category which does not require consent under ePrivacy or the GDPR. However they took the view that there are practical difficulties in determining which processing is strictly necessary.
“Taskforce members agreed that the assessment of cookies to determine which ones are essential raises practical difficulties, in particular due to the fact that the features of cookies change regularly, which prevents the establishment of a stable and reliable list of such essential cookies,” they wrote. “The existence of tools to establish the list of cookies used by a website has been discussed, as well as the responsibility of website owners to maintain such lists, and to provide them to the competent authorities where requested and to demonstrate the essentiality of the cookies listed.”
On another issue — of withdrawing consent — they agreed website owners should put in place “easily accessible solutions allowing users to withdraw their consent at any time”, giving the example of a small icon (“hovering and permanently visible”) or a link “placed on a visible and standardized place”.
However they again shied away from imposing a specific standardized way for users to withdraw consent on site owners, saying that they could only be required to implement “easily accessible solutions” once consent has been collected.
“A case-by-case analysis of the solution displayed to withdraw consent will always be necessary. In this analysis, it must be examined whether, as a result, the legal requirement that it is as easy to withdraw as to give consent is fulfilled,” they added.