European Data Protection Board's 8 cookie banner mistakes to avoid
Posted: January 20, 2023
In September 2021, the European Data Protection Board (EDPB) formed a “Cookie Banner Taskforce” to investigate a series of complaints about how websites get cookie consent.
The Taskforce published its draft report on 18 January 2023. The report lists eight non-compliant practices that are common among cookie banners.
There’s a common theme across each of these design features—they seek to trick, nudge or persuade users into providing cookie consent when they might not truly want to do so.
These deceptive design techniques are sometimes called “dark patterns”.
If your website or app uses these tricks to get cookie consent, you might be violating the EU’s ePrivacy Directive and General Data Protection Regulation (GDPR).
And more importantly, you’re likely to be causing your users considerable annoyance.
Here’s a look at the eight cookie banner “no-no”s identified by the Cookie Banner Taskforce.
1. No reject button on the first layer
The Taskforce found that most cookie banners offer an “accept” button up front, often accompanied by a button reading “show options” or similar.
But on this first layer of the cookie banner, there’s no “reject” option. The user has to find “reject” by digging into the “show options” menu.
Cookie banners should make it equally easy to “reject” or “accept” cookies. Give your users those two options up front.
2. Pre-ticked boxes
Sometimes, a cookie banner will provide both “accept” and “reject” options as tickboxes, accompanied by a button reading “save my choices” or similar.
This is fine—unless the “accept” box is already ticked.
Consent under the GDPR must be “unambiguous” and “affirmative”. Consider Recital 32 of the GDPR: “silence, pre-ticked boxes or inactivity” are not considered valid forms of consent.
If you’re requesting consent via a tickbox, leave it unticked.
3. Deceptive link design
Sometimes, cookie banners won’t allow the user to access a site unless they accept cookies. These “cookie walls” have long been considered unacceptable under EU law.
But there’s another, similar sort of cookie banner that’s also problematic.
This sort of cookie banner makes it appear as if the user has to consent to cookies to access the site—even if they ultimately do not.
Your cookie banner should be non-intrusive. Don’t use the banner to block—or appear to block—access to your website or app.
4. Deceptive button colours and 5. Deceptive button contrast
The Taskforce found that some cookie banners employ deceptive button colours and button contrast that can make the “reject” button hard to read—either due to small text, or text that is the same colour as the button itself.
Make sure your cookie banner is clear, with easy-to-read “accept” and “reject” options.
6. Legitimate interest claimed, list of purposes
Consent is not the only legal basis for processing personal data under the GDPR. But due to the ePrivacy Directive, consent is the only valid legal basis for setting non-essential cookies.
There is a widespread (but dying) practice of setting cookies under “legitimate interests”. Some cookie banners that display a long list of “purposes” for using cookies under legitimate interests.
These legitimate interest purposes are enabled by default, meaning that the user has to manually “opt out” of each processing purpose.
The Taskforce makes it clear that this is not an acceptable cookie banner practice. If you want to set non-essential cookies on a user’s device, get opt-in consent.
7. Inaccurately defined “essential” cookies
Some cookies do not require consent. These cookies, broadly defined as “essential”, are clearly identified in 2012 guidance from the EDPB’s predecessor, the Article 29 Working Party.
Some cookie banners—whether intentionally or not—wrongly characterise certain marketing or analytics cookies as “essential”, and state that these cookies fo not require consent.
If you believe your website or app needs to set “essential” cookies without consent, make sure these cookies are actually “essential” under the Article 29 Working Party’s guidance.
8. No “withdraw” icon
Don’t take your users’ consent for granted.
Under the GDPR, it must be as easy to withdraw consent as it is to give consent.
The Taskforce found that many websites don’t offer an easily-accessible way for users to withdraw their consent.
The report recommends displaying “a small hovering and permanently visible icon on all pages of the website” that enables users to easily withdraw their consent.