Cookie Banners (or Pop-ups)

Perhaps the biggest area of confusion for website owners is around Cookie Banners.

Most websites choose to implement a cookie banner or pop-up, which displays when a user lands on the website and which provides the first layer of information about the use of cookies and other tracking technologies.

This banner or notice should also contain a link to your Cookies Policy and Privacy Policy.

There is currently very apparent inconsistency in how Cookie Banners are designed and their characteristics.

Check 10 different sites and you’ll get 10 different designs.

This inconsistency is now recognised by data protection regulators as a problem.

Cookie consent banners that use blatant design tricks to try to manipulate web users into agreeing to hand over their data, instead of giving people a free and fair choice to refuse this kind of tracking, are facing a coordinated pushback from data protection regulators.

In September 2021, The European Data Protection Board (EDPB) set up a Cookie Banner Taskforce to coordinate the response to over 700 complaints made by noyb (which stands for “None of Your Business”) to data protection supervisory authorities (SAs) concerning the design and characteristics of cookie banners.

On 18th January 2023, the Taskforce published its draft report on work undertaken to date.

In the report, the SAs agreed on an interpretation of the applicable provisions of ePrivacy and GDPR to the design of cookie banners.

This is timely for the purpose of this Audit because the report provides guidance on issues such as reject buttons, pre-ticked boxes, banner design and withdrawal of consent.

We outline the key takeaways from the report below.

 

Designing cookie banners

 

Following a coordinated review of several cookie banners which were the subject of complaints, the Taskforce provided the following commentary on various design aspects of cookie banners:

Issue Taskforce Commentary
No “reject” button on the first layer The Taskforce noted that the “vast majority” of SAs agreed that not having a “reject” button on any layer of the cookie banner which has an “accept” option is not in line with requirements for valid consent.

However, there continues to be divergence on this issue as the Taskforce also indicates that a “few” SAs considered that there cannot be infringement for failing to have a “reject” button as the ePD does not explicitly mention a “reject option” to the deposit of cookies – this is the current legal position.
Pre-ticked boxes The Taskforce remind stakeholders that pre-ticked boxes (either in the first or second layer of the cookie banner) do not constitute valid consent.
Link Designs In order for consent to be freely given, a website owner must not design its cookie banners in a way that gives users the impression that they have to give consent to access the website or which clearly pushes the user to give consent. Rather for consent to be valid, the user should be able to understand what they consent to and how to do so.

The Taskforce note that the practice of using a hyperlink in the cookie banner for the reject option as opposed to a button could be deceptive. By way of example, the Taskforce indicate that in the absence of sufficient visual support to draw a user’s attention to a method for refusal, the following do not lead to valid consents:

  • Providing a hyperlink behind the words “refuse” or “continue without accepting” in a paragraph of the cookie banner; and
  • Providing a hyperlink behind the words “refuse” or “continue without accepting” placed outside the cookie banner.
Deceptive Button Colours and Deceptive Button Contrast The Taskforce observe that design choices in respect of colour and contrast can mislead users and result in the unintentional giving of consent.

It is recommended that website operators avoid using colours or contrast ratios which highlight the “accept all” button over other available options. For example, it is manifestly misleading for users where the contrast between the “reject” button and the background of the cookie banner is so minimal that the text is unreadable to the user.
Legitimate interests claimed Claiming reliance on the “legitimate interests” legal basis for the use of non-essential cookies (e.g., targeted advertising cookies) and not collecting valid consent for the use of such cookies is prohibited.

The EDPB also clarified that non-compliance with the rules on the use of cookies will result in non-compliance of any subsequent processing of personal data collected through cookies.
No withdraw icon The Taskforce recommend that website owners should put in place easily accessible solutions that allow users to withdraw their consent to the use of cookies at any time. For example, by using a small hovering and permanently visible icon or via a link placed in a visible and standardised place.

View More Guides

Have Questions About This Guide?

Book a 30-minute call with one of our experts. You’re in safe, experienced hands.

Book a call

Can’t find what you are looking for?

This service is your service.
If there is content you cannot find on our Hub simply email us your request and we’ll get you sorted.
Contact Us
Scroll to Top