With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
If your business has operations in Europe, or you offer your products there online, you’re probably already familiar with cookie consent banners. These pop-ups have been proliferating since the passage of the ePrivacy Directive, creating headaches for website operators around the world.
The crux of the rule is that websites cannot place cookies on a visitor’s device without first getting their consent, unless the cookie is “strictly necessary" for the functioning of the site. Sounds simple enough, right? Compliance problems can arise, however, when businesses use subtle (or not so subtle) design cues, known as “dark patterns,” to influence a user’s choice.
Potentially, the use of dark patterns invalidates the consent mechanism and opens the business up to enforcement and fines. What does this look like in real life?
A dark pattern is a UI design choice that has "the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice." In other words, a dark pattern exists where the design itself nudges the user in a certain direction. This is often accomplished via color choices, button asymmetry, and/or process asymmetry (i.e., making one option easier or harder than the other).
U.S. privacy laws such as the California Consumer Privacy Act (CCPA) state that consent obtained via a dark pattern is not considered valid. The GDPR, on the other hand, is not as straightforward, as it does not expressly mention dark patterns.
Instead, cookie consent must conform to the GDPR’s exacting standards for consent in general, meaning it must be a “clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement.” As well, businesses must always abide by the GDPR’s general principles of lawfulness, fairness and transparency.
While these terms may sound vague, they can still be enforced, and in fact often are enforced. For example, a dark pattern could be found to violate the GDPR’s principle of fairness, or if the consent mechanism is confusing, the user’s consent may be considered ambiguous.
Here are some common cookie-banner design choices that may violate the GDPR’s consent rules.
Businesses are typically eager to provide an "Accept All" button on their cookie consent banners, but a little less enthusiastic about including a "Reject All" option, for obvious reasons.
In a 2023 report on this issue, the European Data Protection found that there was near-universal consensus among data protection authorities: If a consent banner offers an Accept All button, it must also provide a Reject All equivalent. Not only that, it must be available at the same point, meaning businesses should not make users click further into the interface before being able to reject all cookies.
For this very reason, Google (along with several other businesses) was fined 150 million euros in 2022.
We've all experienced this: When one button is larger or more brightly colored, we are more likely to click on it. For this reason, many businesses prefer to make their Accept All buttons a different color, or perhaps make the Reject All option a text link that is far less prominent.
The EDPB was less clear about this practice in its report, in part because of the difficulties in making rules about color choices. For this reason, it recommended a case-by-case approach to determining whether color or contrast choices have the effect of misleading consumers. The Information Commissioner's Office (the UK's data protection authority) released a position paper stating that choices such as Accept All and Reject All "must be presented with equal prominence."
Though the standard may not be crystal clear, businesses that use button asymmetry in their consent mechanisms are usually aware of their reason for doing so, and should know that it presents a compliance risk.
There is a general rule, applicable across most privacy laws, that is often overlooked by organizations: Whenever consent is collected from consumers, they should also have the ability to withdraw consent. Not only that, it should be just as easy for the consumer to withdraw their consent as it was to give it in the first place.
This means that if a consumer has given their consent to have cookies placed on their device, there must also be a readily accessible mechanism for changing their mind. Somewhere, ideally on every page, the consumer should be able access their cookie preferences and toggle each slider back and forth. If the cookie options become inaccessible once the person clicks Accept (or not very easily accessible, such as by burying a link in the privacy policy), that arrangement likely violates the GDPR’s consent rules.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.