Two myths about cookie consent sprung up when the GDPR took effect:
The first was that "you only have to make a token effort to get consent." The second was that "the web has so many sites you probably won't get caught breaking the rules anyway."
The former myth has been shattered by multiple court rulings. and now a privacy group's actions are disproving the latter.
Here's what you need to know to avoid regulatory action surrounding your GDPR-compliant cookie banners.
- 1. What's the Latest Development With GDPR-Compliant Cookie Consent?
- 2. The Basics of the GDPR and Cookie Consent
- 3. The Meaning of Consent Under the GDPR
- 4. Penalties For Breaches of the GDPR Cookie Consent Rules
- 5. The Noyb Campaign on Cookie Consent
- 6. The Most Common Violations of Cookie Consent Rules
- 6.1. Not as Easy to Withdraw as to Consent (Found in 90% of Sites With at Least One Violation)
- 6.2. No Reject Option on First Layer (81%)
- 6.3. Deceptive Button Contrast or Color (73%)
- 6.4. Link Instead of Button to Reject (51%)
- 6.5. Inappropriate Use of Legitimate Interests (27%)
- 6.6. Inappropriate Use of "Essential" Cookies (21%)
- 6.7. Pre-Ticked Checkboxes (15%)
- 7. Privacy Policies and the GDPR
- 8. Summary
What's the Latest Development With GDPR-Compliant Cookie Consent?
A privacy group called Noyb (short for "none of your business") is going after websites that try to make it more difficult for site users to exercise their cookie opt-out rights under the GDPR. Noyb has developed an automated reporting system to file formal complaints with data regulators about alleged breaches. This could significantly increase the likelihood of being caught when breaching the rules.
The Basics of the GDPR and Cookie Consent
Let's recap the key points of the General Data Protection Regulation when it comes to cookies.
- The GDPR covers processing of personal data. It applies if you (the processor), the data subject (the person the data is about), or the processing itself, is in a European Union country. The rules also apply in the United Kingdom through its own national laws.
- Under the GDPR, you can only lawfully process personal data in limited circumstances, the most common of which are that the data subject has consented or that the processing is necessary for your legitimate interests.
- Both the wording of the GDPR and later official clarifications and rulings have established that cookies count as personal data if they can be associated with an identified or identifiable person.
- "Legitimate interests" generally only covers cookies that are necessary for the site to operate (for example, balancing traffic across different servers) or to provide a service the user has directly requested (for example, for a virtual shopping cart). Most other cookies will require consent.
The Meaning of Consent Under the GDPR
The GDPR specifically defines consent in Article 4 as a:
"freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Several rulings and clarifications have set out ways this works with cookie consent:
- The consent must be active. This means you can't simply issue cookies by default until somebody opts out.
- The consent must be freely given, with the user making a genuine choice. This means you can't block somebody from accessing a site unless they consent to non-essential cookies (an approach dubbed a "cookie wall").
- The consent must be specific, meaning you should normally give users the option to say yes or no to different types of cookie, for example marketing, site statistics and performance.
- The consent must be unambiguous. This means you can't use pre-ticked checkboxes to indicate consent as you can't be sure a user hasn't left them ticked by mistake.
Other sections of the GDPR spell out that a user must be able to withdraw consent. This means you can't take a user scrolling down a page as a signal of consent as there's no clear way to undo this signal.
Penalties For Breaches of the GDPR Cookie Consent Rules
The GDPR is enforced by supervisory authorities in individual EU countries. These are usually national data regulators and agencies.
Supervisory authorities have the power to take a range of actions after determining a breach. These include issuing a warning, requiring the data controller to take a particular action (such as changing cookie consent banners), or issuing a temporary or permanent ban on data processing.
The supervisory authority can also issue a financial penalty, normally known as an administrative fine. Breaches fall into two categories for financial penalties, with breaches of the consent rules falling into the higher category. This means the maximum fine is €20 million or four percent of a business's gross worldwide revenue in the previous financial year, whichever is the bigger amount.
The Noyb Campaign on Cookie Consent
In most cases, supervisory authorities will only investigate an alleged breach after receiving a formal complaint. This means some businesses that don't comply with the consent rules may take the gamble that it's unlikely anyone will ever complain.
The Noyb group says it wants to overcome this attitude. It says it has developed software that can scan websites to look for common forms of cookie banners that do not comply with the rules.
It plans to start assessing sites by prioritizing the most popular, with a target that by mid-2022 the 10,000 most visited sites in Europe will comply with the GDPR. This could be because a site already meets the rules, it changes its cookie consent system after receiving a complaint, or it's ordered to do so by a supervisory authority.
Noyb began its campaign by contacting 500 websites that it said do not meet the consent rules. It gave them specific details of how to change their sites to be compliant and gave them one month to do so before it began issuing formal complaints to supervisory authorities.
If your site does not already comply with the cookie consent rules, the Noyb campaign increases the chances that you will face regulatory action in three ways:
- Noyb itself could find your site and generate a complaint
- The campaign could gain publicity and encourage ordinary users to complain to supervisory authorities
- The campaign could highlight the issue and put pressure on supervisory authorities to be more proactive in looking for breaches and taking action
The Most Common Violations of Cookie Consent Rules
Noyb broke down the different violations across the 500 popular websites which it contacted. It listed the percentage of the 500 sites that featured each violation. Here are the most common violations along with some examples of how cookie consent requests can meet the rules.
Not as Easy to Withdraw as to Consent (Found in 90% of Sites With at Least One Violation)
The GDPR says consent is only meaningful if users can easily withdraw it later on. As noted, this is why it's not acceptable to take a user scrolling down a page as a form of consent.
The easiest way to meet this rule is to make sure you use a cookie consent management tool that lets you include an option to withdraw consent in the same way as providing it.
NTT Data complies by using its Cookie Policy to provide a clear explanation of how to withdraw consent and why this is not the same as simply deleting cookies:
No Reject Option on First Layer (81%)
Some sites try to deter users from refusing consent by designing their cookie banners so there's a one-click option to give consent, but refusing consent involves going through multiple steps. For example a user who clicks to refuse might be prompted to confirm their choice or be asked "are you sure?"
To comply with the GDPR, you must not try to unduly influence a data subject's decision of whether to give consent.
Netflix complies by including a "Reject" button in the same fashion as its "Accept" button:
Deceptive Button Contrast or Color (73%)
When you offer users two buttons to indicate giving or refusing consent, you must not make one more prominent than the other as this counts as unduly influencing the decision. This includes using different colors so that one stands out more than the other, or even makes the text on one button harder to read.
If you use an automated system such as a cookie consent management tool, the default settings may produce buttons that break the rules. If so, you must either change the settings or use a different tool.
Reddit complies by using identical designs for its two buttons:
Link Instead of Button to Reject (51%)
Some sites have a cookie choice screen that has a one-click button to give consent and a link to follow to refuse consent. This breaches the rules in two ways.
Firstly, it gives undue prominence to the "give consent" option as a button will stand out more than a text link.
Secondly, it makes it more convenient to give consent with a single click whereas refusing consent involves multiple clicks.
Ebay complies by using a decline button. Although this takes the user to a page allowing specific settings for different cookies, these are all set to decline by default following the initial button press.
Inappropriate Use of Legitimate Interests (27%)
Remember that you can only rely on legitimate interests as a lawful basis for your processing where the processing is for your core business activities, could reasonably be expected by users, and does not outweigh the data subject's privacy rights.
It's often safer to get consent for all non-essential cookies. If you use an automated system such as a cookie consent management tool, you may need to disable a setting marked "Allow Legitimate Interest" or similar wording.
Inappropriate Use of "Essential" Cookies (21%)
Remember that "essential" refers to your site operating and serving customers. It doesn't cover activities, such as gathering site statistics or personalizing advertising, that make running your business easier or more profitable. These cookies are not essential for the site's operation and thus you need the data subject's consent.
If you use an automated system such as a cookie consent management tool, you may need to alter settings that designate particular cookie types, including those from third-parties, as essential by default.
The NHS complies by correctly classing analytics cookies as non-essential and thus requiring consent:
Pre-Ticked Checkboxes (15%)
A court ruling has confirmed that using pre-ticked checkboxes is not adequate for ensuring consent. This is because consent must be unambiguous. With a pre-ticked box (or pre-set slider), you can't be certain the user hasn't clicked the confirmation button by accident or without noticing the box was ticked.
The safest options are to either have a single button that is explicitly marked as giving consent, or to have an un-ticked box/slider set to reject by default so that a user wanting to give consent must first tick the box or change the slider, then click to confirm.
The Information Commission Officer's site in the UK complies by setting a slider for optional cookies to Off by default:
Remember that consent under the GDPR isn't just about confirming the user has intentionally given consent. You must also be sure the user understands what that consent entails and has access to the information needed to make a meaningful choice.
That is why the GDPR explicitly requires a Privacy Policy or similar notice, beyond any information in a cookie banner.
Privacy Policies and the GDPR
Your GDPR-compliant Privacy Policy must include the following:
- Your organization's name and contact details and those of your designated data protection officer
- Why you process people's data
- The lawful basis or bases for processing (for example consent or legitimate interests)
- Who, if anyone, you share personal data with
- Whether you transfer personal data outside of the EU and, if so, how you make sure it remains protected
- How long you keep personal data (or how you decide when to delete it)
- The data subject's rights under the GDPR and how to exercise them. These include knowing what data you have, asking you to correct or delete data and withdrawing consent.
- Whether data subjects are legally or contractually required to provide personal data and what happens if they refuse
- Whether you use automated decision-making such as profiling
Summary
Let's recap what you need to know about developments in GDPR cookie consent:
- The GDPR applies if you, a data subject or your processing is in the European Union
- The GDPR covers cookies that can identify an individual and aren't essential to the site's operation
- It's only lawful to use such cookies in limited ways, most notably when you have user consent
- This consent must be clear, active and unambiguous
- A campaign group called Noyb is actively searching for sites that breach the cookie consent rules and plans to report them to data regulators
-
Noyb says the most common violations are:
- Not making it as easy to withdraw consent as to give it
- Not including a reject option at the earliest stage
- Using deceptive contrast and color to make the reject option less prominent
- Using a link rather than a one-click button for the reject option
- Inappropriately claiming a cookie is covered by legitimate interests
- Inappropriately claiming a cookie is essential
- Using pre-ticked checkboxes indicating consent
- The GDPR also requires a Privacy Policy explaining how you use data. This is necessary for consent to be informed and thus valid.