There is no way that you have browsed the internet and not come across cookie consent banners and pop-ups. They are now omnipresent thanks to the GDPR. Any website that collects user information has a cookie consent notice, from online shopping to news websites to personal blogs.
Imagine the number of times you have accepted a cookie notice without reading it or just continued scrolling by ignoring it. This brings us to the question – are cookie prompts useful? Certainly yes. They have raised awareness about online privacy, tracking, data collection etc. But, do they ensure GDPR compliance and user privacy?
Dark patterns in cookie consent
Cookie consent banners have been increasingly using these dark patterns that can mislead and coerce users. Dark patterns are interface designs that mislead users into a certain behaviour that they may not otherwise take. These range from pre-ticked boxes, automatic toggles, cookie notices without any information etc.
Take a look at this cookie banner. It has only an ‘accept’ button and a link to adjust cookie settings.
Clicking on it takes you to an expanded screen where all the non-essential cookies are pre-ticked. Unless the user clicks on the link, they won’t be aware that they are consenting to all the cookies!
A study on cookie consent notices reported that placing cookie settings or information below the first layer “renders it effectively ignored”. It also noted that 57.4% of the consent notices had interface design that steered users towards accepting privacy-unfriendly options.
Similarly, the Irish Data Protection commissioner reported that 26% of the websites studied had pre-checked boxes to signal consent to cookies, including for marketing, advertising and analytics cookies.
Another study reported that cookie notifications fail to comply with the principles of EU privacy laws. Only 11% of cookie consent mechanisms “meet the minimal requirements of European law”.
A key takeaway from the studies is that websites offer no meaningful choice to consumers despite implementing cookie notifications. The question then remains — how can cookie notices get GDPR compliant without just paying lip service?
Cookies and Consent: Quick Recap
Cookie usage falls under the purview of the ePrivacy Directive, commonly referred to as the EU cookie law. But, it was the arrival of the General Data Protection Regulation (GDPR) in 2018 that was the key driver of websites implementing cookie banners.
In 2020, the EDPB released the updated consent guidelines. It specifically gives two clarifications — cookie walls do not constitute valid consent and scrolling or using a website after disregarding the cookie notice is not valid consent.
In January 201, the EU Council released a new draft of the ePrivacy Regulation. Unlike a ‘directive’ that is a set of guidelines, the ‘regulation’ will be legally binding in the EU. The draft notes that cookies and trackers require explicit and affirmative consent from users. Consent collected should also be GDPR-compliant consent.
So, what is GDPR-compliant consent? In short, Article 4 of the GDPR states four conditions for valid consent – freely given, specific, informed and unambiguous. Article 7 states additional consent requirements – proof of consent and withdrawal of consent. Recital 32 of the GDPR states:
In the wake of the latest guidelines and the upcoming regulation, website owners should evaluate their practices surrounding cookie notices. Simply put, cookie consent is here to stay, so website owners should brace themselves for compliance.
What is a GDPR Compliant Cookie Consent Banner?
The mere existence of cookie banners and pop-ups do not guarantee compliance or user privacy. The ultimate aim of cookie notices should be to give users a real choice and be user-friendly.
For this article, we looked at a handful of websites including big businesses, tech firms, startups, and publications in the EU. A good majority of websites were found flouting the GDPR requirements and failing short in giving users a meaningful choice with regards to consent.
We will look at these examples to know what not to do in cookie consent banners and how to rectify it. Read on to find out how you can streamline your cookie consent mechanism for GDPR compliance.
1. No pre-ticked boxes
Users have to give consent before you set up any cookies on their devices except strictly necessary cookies. You cannot use non-essential cookies unless the user has given explicit consent to enable them.
This banner has pre-ticked functional and performance cookies. Recital 32 of GDPR specifically does not allow pre-ticked boxes. You cannot use any pre-ticked boxes or ‘on’ sliders for non-essential cookies.
Look at how ICO uses this cookie sidebar instead. The option for analytics cookies is turned off by default. So the user has to actively turn it on to allow its usage.
2. No notice-only cookie consent banners
Notice-only cookie banner tells users that the website deploys cookies, but the user is not asked to permit or accept cookies. The banner does not give the user any direct control over the usage of cookies.
Similar to them are confirmation-only banners that may have an ‘OK’ or ‘agree’ button. Clicking on it will be interpreted as consent by the user. In such cases, websites use implied consent.
A study on dark patterns in cookie notices reported that 32.5% of websites used implicit consent. The website will assume that the user has agreed to the terms and usage of cookies if they continue to use the website. Notice-only banners are acceptable if you only use strictly necessary cookies that do not need user consent. For compliance, you have to mention this information in your cookie notice.
3. No displaying only ‘accept’ button
A lot of websites do not display the ‘reject’ button or do not have the ‘reject’ button displayed at the same level as the ‘accept’ button. This kind of banner nudges the user to accept the cookie notice. According to the ICO “A consent mechanism that emphasizes ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach”.
According to a study, websites don’t display ‘accept’ and ‘reject’ buttons with equal prominence. Only 12.6% of sites showed both on the same page while over 50% of the sites did not have a ‘reject all’ button.
To give you a compliant example, look at this custom banner from CookieYes. It displays both ‘accept’ and ‘reject’ buttons at the same level.
3. No cookie walls
Some websites block access until a user accepts their cookies. The EDPB guidelines forbid the use of such cookie walls. It states that:
Cookie prompts like the one below do not let users access the website unless you accept them.
You must give users access to your website without cookies unless the cookies are strictly required for its functions. The Dutch Data Protection Authority as well as the latest guidelines state that cookie walls violate GDPR principles.
4. No bundled cookie consent
Consent cannot be bundled with terms and conditions. This also includes giving separate granular, specific consent options for different types of processing.
Granular consent gives the option to accept or deny consent between different categories of cookies such as necessary cookies, statistics cookies, marketing cookies.
This cookie sidebar, albeit detailed in explaining the cookie usage, fails to ensure that cookie consent is specific and granular. Users won’t be able to reject non-necessary cookies, but have to accept all unless they proceed to click on ‘more info’.
The Planet49 judgement of 2019 clarifies that consent “must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes.”
This cookie banner from CookieYes gives users the choice to exercise granular consent. Only necessary cookies are set to default while other cookie types require user consent to be activated. This banner also lists all types of necessary cookies and the period they will be retained by the website owner.
6. No confusing language
Many banners have wordings that lack clarity on how the user consents to cookies. Wording such as ‘OK’ ‘proceed’ or ‘continue’ may nudge users to move on with the default option, and not explore for more options in the settings.
The cookie prompt below uses the word ‘services’. It is unclear if the user consents to cookies by merely scrolling through the website or on further actions such as signing up on the website. Either way, it lacks compliance on all fronts discussed till now.
For a more compliant example, look at the cookie banner of Monzo. Although accept and reject options don’t have the same weight, the banner communicates why they use the cookies and how the user can set preferences.
The cookie banner from NHS gives clear instructions to the user regarding cookies. The wordings on the button are also upfront and inform users about the choices they have.
7. No confusing icons or buttons
Another confusing design interface is the ‘close X’ icons or ‘dismiss’ buttons found on cookie notices. These icons could nudge the user to dismiss the banner as yet another notification that pops up on a website.
In the banners, there is no clear indication whether clicking the ‘close’ icon will dismiss the prompt for some time or if cookies get opted by default.
8. No obstructing banners
In terms of layout, the cookie prompts should be subtle but noticeable. It is advisable to not have banners that interrupt the user experience and design of the website and also optimize it for different devices (usually mobile or computer).
Most cookie notices are placed in the header or bottom of websites. From a study of 1000 consent notices of websites in the EU, 58% were placed at the bottom of the screen and 93% of the notices did not block any content on the site.
The same study also noted that cookie notices at the bottom-left position received the most interactions. Over 37% of visitors interacted with them regardless of device type or choices made. A possible explanation is that they don’t cover the contents of the website, while top banners and notices may hide design elements of the website.
A checklist for GDPR compliant cookie notice
- Clean and user-friendly interface optimized for different devices
- Categorize the types of cookies you use – necessary, functional, marketing, analytics etc.
- Crisp, concise and jargon-free language
- Granular consent to opt-in or accept non-essential cookies
- Clear labelling of ‘accept’ and ‘reject’ buttons with equal emphasis
- Link/button to manage cookie settings or change preferences
- Information about your cookie providers, duration of each cookie
- Details of third parties (if any) you share information with
Put simply, your cookie notice should be clean, concise, and allow the user to make a meaningful choice without compromising on your website’s user experience. You can achieve all of this under one roof with CookieYes in just a few clicks! Find out how.
CookieYes for a GDPR compliant cookie consent
CookieYes is a cookie consent solution for your website that will help you to comply with data privacy laws such as the GDPR and CCPA (USA).
CookieYes can automatically scan your website for cookies and add them to your site’s list of cookies. You can automatically block 20+ third-party cookies including cookies from Google Analytics, Facebook Pixel, Hotjar, and YouTube until you get user consent.
You can also access a record of users’ consents and their cookie preferences in a consent log. This can help you demonstrate your compliance during audits.