Cookie consent banners that use blatant design tricks to try to manipulate web users into agreeing to hand over their data for behavioral advertising, rather than giving people a free and fair choice to refuse this kind of creepy tracking, are facing a coordinated backlash from European Union data protection regulators.
A task force of several data protection authorities, led by the French CNIL and the Austrian authority, has spent many months jointly analyzing cookie banners. And in a report released this week, they agreed on how to handle complaints about certain types of cookie consent dark patterns in their respective jurisdictions – a development that looks set to make it more difficult for deceptive designs to fly across the EU .
The task force was convened in response to hundreds of strategic complaints filed between 2021 and 2022 by the European privacy rights group, noyb – which developed its own tool to automate the analysis of websites’ cookie banners and generate reports and complaints in a small way. non-profit to increase its strategic impact).
Cookies and other tracking technologies are governed by the EU’s ePrivacy Directive, which means that oversight of cookie banners is typically decentralized to regulators in member states. That in turn means there could be different uses of the rules around the block depending on where the website in question is hosted. (For example, regulators in some states allow news sites to offer users the choice between accepting ad tracking to access the content (for free) or paying for a subscription to access it without tracking — although such “cookie consent paywalls” ‘ remain controversial and are unlikely to pass with every data protection authority.)
Given the degree of consensus reported by the task force, it suggests there will be some harmonization in how data protection authorities enforce complaints related to the design of cookie consent banners – with, for example, the vast majority of authorities agreeing that the lack of a ‘decline all’ option on the same level as an ‘accept all’ button is a breach of ePrivacy. So more enforcement against sites trying to bury an option to deny tracking seems likely.
The task force also agreed that consent flows containing pre-checked options (i.e. as another tactic to try to reach agreement) are also not valid consent – which should surprise no one, as the European Supreme Court has already made it clear that active consent is required for all tracking cookies. way back in 2019.
Over the past five years, since another EU law came into force that strengthened the rules around consent – namely the General Data Protection Regulation (GDPR) – data protection authorities have certainly paid more attention to cookie consent. Also as complaints about how routinely the rules were broken.
This in turn has led many to update (and tighten) their guidelines on this issue — making it harder for sites to claim that the rules around consent tracking are unclear.
Enforcement is also on the rise, with certain watchdogs being very active – such as France’s CNIL which, since 2020, has fined a slew of tech giants (including Amazon, Google, Meta, Microsoft and TikTok) for a variety of cookie-related breaches, including multiple enforcement actions (and fines) for using dark patterns to manipulate consent.
The CNIL’s enforcement activities also include corrective orders that have helped enforce some major design changes – including Google revising the cookie banner displayed across the EU last year to (finally) include a ‘deny all’ option on the offer the highest level. Which is quite a win.
And as the CNIL has played a leading role in coordinating the task force’s work, it seems some of the convention is rubbing off on fellow data protection authorities.
In a press release accompanying the approval by the European Data Protection Board of the task force’s report earlier this week and a summary of the outcome, the French regulator writes: “In particular, this report states that the vast majority of authorities believe that the lack of any possibility of refusing/disagreeing cookies at the same level as the one envisaged to accept their storage constitutes an infringement of the law (Article 5(3) of the e-Privacy Directive). The CNIL had already taken such a position in its directives and in the context of various sanctions.
In addition to agreeing on the need for an “Accept All” button and a “Decline All” button, the task force agreed that the design of cookie banners should provide web users with enough information to enable them to understand what they are. consent and how to express their choice.
And that cookie banners should not be designed in such a way as to “give users the impression that they must consent to access the website’s content, nor that the user is clearly coerced into consenting,” as the report states.
They also agreed on some examples of cookie designs that would not lead to valid consent – such as when the design is such “the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘decline’ or ‘continue without accepting’ embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action”; or where “the only alternative action offered (other than granting consent) is a link following phrases such as ‘decline’ or ‘continue without accept’ outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw users’ attention to this alternative action outside the box”.
So basically they got some consensus on excluding certain common dark patterns from cookie banners.
But as far as visual tricks, such as using highlight colors that can be selected to draw attention to an “accept all” button and make it harder to see a decline option, the task force decided that an analysis of the appearance case by case and gut feeling (and the possibility that these sorts of design choices are clearly misleading) would be necessary in most cases. And they agreed that it is not their place to impose a blanket banner standard (relative to color and/or contrast) on data controllers.
They also agreed that rejecting all buttons designed to make the text “unreadable to virtually any user” could be “manifestly misleading” to users.
Other issues the task force grappled with included a more recent addition to cookie consent hell — in which sites may (also) want to claim a “legitimate interest” in ad processing. Sometimes a bunch of extra toggles are added in addition to the permissions legal base buttons that typically only show up in a secondary (or other submenu), where the top level doesn’t offer a “deny all” option – instead users have to click through in settings to access it. digging up confusing mess of switches (sometimes with the LI pre-checked).
“The integration of this notion of legitimate interest for subsequent processing ‘in the deeper layers of the banner’ can be seen as confusing for users who may think they have to refuse twice not to have their personal data processed,” the report said. . notes this.
The task force also agreed on how regulators should determine whether subsequent processing based on cookies is lawful – saying that this includes determining whether “storing/accessing information by means of cookies or similar technologies is done in accordance with Article 5(3) ePrivacy. directive (and the national implementing rules) — any subsequent processing is done in accordance with the GDPR. 24”.
“In this regard, the members of the task force were of the opinion that the non-compliance found with regard to art. 5 (3) in the ePrivacy Directive (particularly where valid consent has not been obtained where required), means that subsequent processing cannot be compliant with the GDPR 5. Also, the TF members confirmed that the legal basis for the placing/reading cookies under Article 5(3) cannot be the legitimate interests of the controller,” they add in the report.
While they seem largely judgmental about how to deal with the new scourge of LI toggles appearing in cookie consent streams – they say they “agree to resume discussions about this sort of practice if they come across concrete instances where further discussion would be needed to get a consistent approach”.
The working group also discussed what to do with sites that attempt to classify some non-essential data processing as strictly necessary/essential – thereby bundling it into a category that does not require consent under ePrivacy or the GDPR. However, they considered that there are practical difficulties in determining what processing is strictly necessary.
“Taskforce members agreed that the assessment of cookies to determine which cookies are essential poses practical difficulties, in particular due to the fact that the characteristics of cookies change regularly, making it impossible to establish a stable and reliable list of such essential cookies is not possible.” wrote. “The existence of tools to compile the list of cookies used by a website has been discussed, as well as the responsibility of website owners to maintain such lists and provide them to the competent authorities upon request and to to show the essence of the cookies. noted.”
On another issue – withdrawal of consent – they agreed that website owners should “introduce easily accessible solutions that allow users to withdraw their consent at any time”, for example a small icon (“floating and permanently visible”) or a link “placed in a visible and standardized place”.
However, they again shied away from imposing a specific standardized way for users to withdraw their consent from site owners, saying they could only be required to “easily accessible solutions” once consent is obtained.
“A case-by-case analysis of the solution shown to withdraw consent will always be necessary. This analysis should consider whether this meets the legal requirement that it is as easy to withdraw as it is to give consent,” they added.