Noyb Guidelines on Cookie Banner Dark Pattern 2024

UniConsent

7 min read
Table of contents

The noyb (a European Centre for Digital Rights is an Austrian non-profit organization working in the privacy and data protection law) recently reported on the consent banner. It underscores the widespread use of deceptive practices in cookie consent banners and the need for stricter enforcement of data protection laws. The noyb highlighted specific non-compliance issues and provided recommendations to improve consent collection practices, aiming to ensure that user consent is informed and voluntary.

Noyb Guidelines on Cookie Banner Dark Pattern 2024Noyb Guidelines on Cookie Banner Dark Pattern 2024

Background

In recent years, data protection authorities (DPAs) across Europe have received numerous complaints regarding cookie banners. In response, the European Data Protection Board (EDPB) established a task force in September 2021 to coordinate responses to these complaints. In January 2023, this task force published a report titled “Report of the Work Undertaken by the Cookie Banner Taskforce,” providing their opinions and recommendations on the violations found in consent banners across the web. The 2023 report emphasizes that the taskforce's findings represent only the minimum thresholds for consent banners and that national DPAs have the authority to adopt higher standards.

In the newest report, the noyb gives us some takeaways: For instance, almost all authorities agree that if there is an "Accept Cookies" option, there must also be a "Reject" option on the same layer of the consent banner. Pre-ticked checkboxes are not permissible. Consent is mandatory for cookies that are not strictly necessary.

Here are the complete points:

No Reject Button on the First Layer

Many consent banners do not provide an option to reject cookies on the first layer, leading users to believe they must accept cookies to continue using the site.

For example, a banner with only an "Accept" button and no visible "Reject" option on the first screen.

This practice leads to user frustration and higher likelihood of unintentional consent due to the additional effort required to refuse cookies.

Pre-Ticked Boxes

Some banners use pre-ticked boxes for consent, requiring users to uncheck them to reject cookies, which is not considered valid consent.

For example, consent options are pre-selected, and users must manually deselect them to opt out.

This practice does not constitute valid consent as it is not freely given, specific, informed, or unambiguous.

The "Reject" option is often presented as a less prominent link compared to the "Accept" button, misleading users into thinking acceptance is the only option.

For example, the "Accept" button is prominently displayed, while the "Reject" option is a small link embedded in text.

Users may not notice the reject option, leading to unintentional consent.

Deceptive Button Colours

Highlighting the "Accept" button over other options using different colours, making it more attractive and misleading to users.

For example, the "Accept" button is bright and eye-catching, while the "Reject" button is dull and blends into the background.

This design misleads users into thinking that accepting cookies is the default or only option.

Deceptive Button Contrast

Using different contrast ratios for "Accept" and "Reject" buttons, making the "Reject" button less visible and harder to notice.

For example, the "Accept" button has high contrast, while the "Reject" button has low contrast, making it difficult to read.

Users might unintentionally give consent due to the visual prominence of the "Accept" option.

Legitimate Interest Claimed

Some banners claim legitimate interest as a basis for processing personal data without clear opt-out options.

For example, a banner stating that data processing is based on legitimate interest without providing an easy way to object.

This can confuse users and potentially violate their rights under GDPR.

Inaccurately Classified Cookies

Misclassifying cookies as essential when they are not, preventing users from rejecting them.

For example, classifying analytics cookies as essential to avoid seeking consent.

Users cannot opt out of non-essential cookies, which should require consent.

Withdrawing consent is often made more difficult than giving it.

For example, it is not easy-to-find "Withdraw Consent" button or link, unlike the prominent consent options.

Users might continue to share their data unintentionally due to the difficulty of withdrawing consent.

The overview of those key points:

DPA/Cookie Banner QuestionEDPB ReportAustriaBelgiumCzech RepublicDenmarkFinlandFranceGerman DSK (DPAs)GreeceIrelandItalyLuxembourgNetherlandsSpain
Requires cookie reject option on first layer
Considers pre-ticked boxes illegal
Considers a link option to be misleadingSometimes???
Agrees that no nudging through different button colours should occurSometimes???Sometimes
Agrees that no nudging through button contrast (compared to background) should occurSometimes???Sometimes
Relying on legitimate interest for installing non-essential cookies is illegal????
Wrong classification of cookies and therefore installing them without consent is an issue???
Withdrawal is only permissible through a permanently visible floating icon

UniConsent's Compliance Solutions

UniConsent ensures cookie banner compliance by addressing these issues through:

  • Visible Reject Button: Ensuring the "Reject" button and "Manage Option" button are as prominent as the "Accept" button on the first layer.
  • Opt-In Mechanism: All consent options are unchecked by default, requiring active opt-in.
  • Clear Design: Equally prominent and clear design for both "Accept" and "Reject" options.
  • Consistent Button Colours and Contrast: Using similar colours and contrast levels for all options to avoid misleading users.
  • User-Friendly Withdrawal: Providing "Consent Settings" for users to withdraw consent at any time.

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform that serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: hello@uniconsent.com

Activate Google Consent Mode UniConsent to enhance the accuracy of your Google Analytics and Google Ads conversion data.

Set up Google Consent Mode →

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up