Background
Recently, NOYB, a European organization advocating for data privacy rights and challenging privacy violations through legal action and advocacy, filed several hundred complaints against companies that use questionable consent banners. In September 2021, European Data Protection Board(EDPB) established a "cookie banner task force". In January 2023, EDPB task force published a report offering its opinion and recommendations regarding the different kind of violations found in consent banners. NOYB compared the positions of EDPB and national DPAs in guidance documents and actual decisions, published a Consent Banner Report, which listed the authorities’s view about 8 type of cookie banner designs.
Problematic cookie designs are attracting enforcement attention
Of the 8 designs reviewed, 4 are commonly deployed and trending up in authority enforcement activity. This post provides examples of these non-compliant website and application practices likely to attract additional enforcement attention. Complicating matters, not all regulators have offically ruled on all four designs. We will begin by reviewing the current regulatory positions for each country in the European Union, followed by illustrative examples of the problematic cookie banner designs.
Authority’s decision
We try to make each description straight forward hoping to illustrate the idea as accurate as possible.
🔴 - It’s a violation
🟡 - Not decided
Cookie Designs | EDPB
🇪🇺 | Austria
🇦🇹 | Belgium
🇧🇪 | Czech Republic
🇨🇿 | Denmark
🇩🇰 | Finland
🇫🇮 | France
🇫🇷 | German
🇩🇪 | Greece
🇬🇷 | Ireland
🇮🇪 | Italy
🇮🇹 | Luxembourg
🇱🇺 | Netherlands
🇳🇱 | Spain
🇪🇸 |
Non-essential cookies are pre-checked by default | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 |
No side-by-side Reject/Accept button to induce user acceptance | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🔴 | 🟡 | 🔴 | 🔴 | 🔴 | 🔴 |
Wrongful cookie classification causes cookies to be installed without user consent | 🔴 | 🔴 | 🔴 | 🔴 | 🟡 | 🔴 | 🟡 | 🔴 | 🟡 | 🔴 | 🟡 | 🔴 | 🔴 | 🔴 |
Install non-essential cookies by wrongfully claim legitimate interest | 🔴 | 🟡 | 🔴 | 🔴 | 🟡 | 🔴 | 🟡 | 🔴 | 🟡 | 🟡 | 🔴 | 🟡 | 🟡 | 🔴 |
Examples
We take following example from the original NOYB report and added our notes to illustrate the ideas.
Non-essential cookies pre-checked by default
Behavior: Functional Cookies and Performance cookies was pre-ticked by default.
What’s wrong: Functional Cookies and Performance Cookies fall under the category of non-essential cookies. According to GDPR regulations, consent for non-essential cookies must be obtained through an opt-in mechanism by explicitly receiving user consent. This implies that by default, users are not opted in. Therefore, websites must assume that users do not want their non-essential cookies collected and that the checkboxes for each type of non-essential cookie should not be pre-checked.
No side-by-side Reject/Accept button to induce user acceptance
Behavior: The "Agree" button is prominently displayed on the first layer, while users who wish to "Reject" must first click on "OPTIONS" to navigate to the second layer and complete additional steps.
What’s wrong: There is a trend where authorities are becoming less tolerant of what are known as "Dark patterns," which includes practices where companies make it easier for users to consent to the collection of their privacy data than to reject such consent. This trend was underscored by a significant precedent set by the French Data Protection Authority, who find Google Ireland Ltd. €60 Million , Google LLC €90 Million and Facebook Ireland Ltd €60 Million on Dec. 31st 2021.
Wrongful cookie classification causes cookies to be installed without user consent
Behavior: Cookies are classified as ‘essential’ or ‘strictly necessary’ when they are NOT.
What’s wrong: Misclassifying cookies can lead to companies collecting cookies without proper user consent. For instance, if a cookie is mistakenly classified as essential, users cannot reject it. Likewise, if a user consents to functional cookies but rejects marketing cookies, misclassifying a marketing cookie as functional constitutes a violation.
Install non-essential cookies by wrongfully claim legitimate interest
Behavior: Claiming that "Matching and combining data from other data sources" is subject to legitimate interests.
What’s wrong: Under GDPR Article 5(3) ePrivacy Directive, a controller(e.g: a company) cannot rely on its legitimate interests to collect non-essential cookies. This means company have to acquire user consent before collecting any non-essential cookie.
Future considerations
When collecting cookies under GDPR rules, the key principle is to allow users to freely consent before their data is gathered. "Freely" also means avoiding "Dark Patterns" such as making accepting easier than rejecting cookies.
As regulators mature and issue decisions on specific functionality and consumer awareness grows, the privacy experience becomes the initial impression when a new user visits your site—a critical step for any business's conversion. The question of investing in a product/website's privacy experience is not about "when" but "how."
In our research, we’ve discovered many investigations by regulators and the fines that follow are often triggered by what feel like minor product details. We believe this stems from two challenges, discovery and organizational friction.
Today, discovery of non-compliant features relies on checks from expensive privacy consultants, stretched privacy teams, or worse - customers. This becomes particularly difficult at scale.
The organizational friction comes from the number of teams responsible for making changes to tracking behaviors that may impact legal risk, conversion rates, brand, and personalization experiences. While many companies put organizational processes in place to handle meeting initial GDPR requirements, those processes atrophied or were abandoned during the pandemic.
Why is this? There are numerous aspects to consider in the privacy experience. For example, do published policies meet regulatory requirements in the correct format? How can Legal/Privacy officers easily see the inner workings of a product to identify gaps or misrepresentations sooner?
How Kaamel can help
If manually checking all of your banners around the world feels overwhelming, we can help. Kaamel's Regulator Bot reads your privacy policy, then navigates your sites with the context of enforcement actions and regulatory frameworks around the world to find violations, misrepresentations, and validate compliance. give your team the insight and direction needed to check and validate cookie banner services are configured properly, review data collection like a regulator inspecting your site or mobile app.
Our customers are conducting external website and mobile application scan without intrusive integration. Get in touch to see a demo of how we can make your company's privacy experience easier for all your teams.
