UniConsent
The noyb (a European Centre for Digital Rights is an Austrian non-profit organization working in the privacy and data protection law) recently reported on the consent banner. It underscores the widespread use of deceptive practices in cookie consent banners and the need for stricter enforcement of data protection laws. The noyb highlighted specific non-compliance issues and provided recommendations to improve consent collection practices, aiming to ensure that user consent is informed and voluntary.
Noyb Guidelines on Cookie Banner Dark Pattern 2024
In recent years, data protection authorities (DPAs) across Europe have received numerous complaints regarding cookie banners. In response, the European Data Protection Board (EDPB) established a task force in September 2021 to coordinate responses to these complaints. In January 2023, this task force published a report titled “Report of the Work Undertaken by the Cookie Banner Taskforce,” providing their opinions and recommendations on the violations found in consent banners across the web. The 2023 report emphasizes that the taskforce's findings represent only the minimum thresholds for consent banners and that national DPAs have the authority to adopt higher standards.
In the newest report, the noyb gives us some takeaways: For instance, almost all authorities agree that if there is an "Accept Cookies" option, there must also be a "Reject" option on the same layer of the consent banner. Pre-ticked checkboxes are not permissible. Consent is mandatory for cookies that are not strictly necessary.
Here are the complete points:
Many consent banners do not provide an option to reject cookies on the first layer, leading users to believe they must accept cookies to continue using the site.
For example, a banner with only an "Accept" button and no visible "Reject" option on the first screen.
This practice leads to user frustration and higher likelihood of unintentional consent due to the additional effort required to refuse cookies.
Some banners use pre-ticked boxes for consent, requiring users to uncheck them to reject cookies, which is not considered valid consent.
For example, consent options are pre-selected, and users must manually deselect them to opt out.
This practice does not constitute valid consent as it is not freely given, specific, informed, or unambiguous.
The "Reject" option is often presented as a less prominent link compared to the "Accept" button, misleading users into thinking acceptance is the only option.
For example, the "Accept" button is prominently displayed, while the "Reject" option is a small link embedded in text.
Users may not notice the reject option, leading to unintentional consent.
Highlighting the "Accept" button over other options using different colours, making it more attractive and misleading to users.
For example, the "Accept" button is bright and eye-catching, while the "Reject" button is dull and blends into the background.
This design misleads users into thinking that accepting cookies is the default or only option.
Using different contrast ratios for "Accept" and "Reject" buttons, making the "Reject" button less visible and harder to notice.
For example, the "Accept" button has high contrast, while the "Reject" button has low contrast, making it difficult to read.
Users might unintentionally give consent due to the visual prominence of the "Accept" option.
Some banners claim legitimate interest as a basis for processing personal data without clear opt-out options.
For example, a banner stating that data processing is based on legitimate interest without providing an easy way to object.
This can confuse users and potentially violate their rights under GDPR.
Misclassifying cookies as essential when they are not, preventing users from rejecting them.
For example, classifying analytics cookies as essential to avoid seeking consent.
Users cannot opt out of non-essential cookies, which should require consent.
Withdrawing consent is often made more difficult than giving it.
For example, it is not easy-to-find "Withdraw Consent" button or link, unlike the prominent consent options.
Users might continue to share their data unintentionally due to the difficulty of withdrawing consent.
The overview of those key points:
DPA/Cookie Banner Question | EDPB Report | Austria | Belgium | Czech Republic | Denmark | Finland | France | German DSK (DPAs) | Greece | Ireland | Italy | Luxembourg | Netherlands | Spain |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Requires cookie reject option on first layer | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Considers pre-ticked boxes illegal | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Considers a link option to be misleading | Sometimes | ? | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ✓ |
Agrees that no nudging through different button colours should occur | Sometimes | ? | ✓ | ✗ | ✓ | ? | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ? | Sometimes |
Agrees that no nudging through button contrast (compared to background) should occur | Sometimes | ? | ✓ | ✗ | ✓ | ? | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ? | Sometimes |
Relying on legitimate interest for installing non-essential cookies is illegal | ✓ | ? | ✓ | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ? | ✓ |
Wrong classification of cookies and therefore installing them without consent is an issue | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ? | ✓ |
Withdrawal is only permissible through a permanently visible floating icon | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
UniConsent ensures cookie banner compliance by addressing these issues through:
UniConsent is a part of Transfon's privacy-first User Experience Platform that serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: hello@uniconsent.com
Activate Google Consent Mode UniConsent to enhance the accuracy of your Google Analytics and Google Ads conversion data.
Set up Google Consent Mode →Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc
Sign upLeading CMP UniConsent Partners with Google to Activate Consent Mode
RTL Belgium Ordered to Add "Reject All" Button and Stop Using Deceptive Colors on Cookie Banners
CCPA: What is Opt-Out Preference Signal (OOPS)
Google Consent Mode V2 Explained
New York Attorney General Releases Guidelines for Website Privacy Controls
Google's Recent Decision to Retain Third-party Cookies
Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc
Sign up