Keeping Your Cookie Banner GDPR Compliant

If your business has operations in Europe, or you offer your products there online, you’re probably already familiar with cookie consent banners. These pop-ups have been proliferating since the passage of the ePrivacy Directive, creating headaches for website operators around the world.

The crux of the rule is that websites cannot place cookies on a visitor’s device without first getting their consent, unless the cookie is “strictly necessary" for the functioning of the site. Sounds simple enough, right? Compliance problems can arise, however, when businesses use subtle (or not so subtle) design cues, known as “dark patterns,” to influence a user’s choice. 

Potentially, the use of dark patterns invalidates the consent mechanism and opens the business up to enforcement and fines. What does this look like in real life?

What Are Dark Patterns?

A dark pattern is a UI design choice that has "the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice." In other words, a dark pattern exists where the design itself nudges the user in a certain direction. This is often accomplished via color choices, button asymmetry, and/or process asymmetry (i.e., making one option easier or harder than the other).

U.S. privacy laws such as the California Consumer Privacy Act (CCPA) state that consent obtained via a dark pattern is not considered valid. The GDPR, on the other hand, is not as straightforward, as it does not expressly mention dark patterns.

Instead, cookie consent must conform to the GDPR’s exacting standards for consent in general, meaning it must be a “clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject’s agreement.” As well, businesses must always abide by the GDPR’s general principles of lawfulness, fairness and transparency. 

While these terms may sound vague, they can still be enforced, and in fact often are enforced. For example, a dark pattern could be found to violate the GDPR’s principle of fairness, or if the consent mechanism is confusing, the user’s consent may be considered ambiguous.

 Here are some common cookie-banner design choices that may violate the GDPR’s consent rules.

Failure to Include a "Reject All" Option

Businesses are typically eager to provide an "Accept All" button on their cookie consent banners, but a little less enthusiastic about including a "Reject All" option, for obvious reasons.

In a 2023 report on this issue, the European Data Protection found that there was near-universal consensus among data protection authorities: If a consent banner offers an Accept All button, it must also provide a Reject All equivalent. Not only that, it must be available at the same point, meaning businesses should not make users click further into the interface before being able to reject all cookies.

For this very reason, Google (along with several other businesses) was fined 150 million euros in 2022.

Button Asymmetry

We've all experienced this: When one button is larger or more brightly colored, we are more likely to click on it. For this reason, many businesses prefer to make their Accept All buttons a different color, or perhaps make the Reject All option a text link that is far less prominent.

The EDPB was less clear about this practice in its report, in part because of the difficulties in making rules about color choices. For this reason, it recommended a case-by-case approach to determining whether color or contrast choices have the effect of misleading consumers. The Information Commissioner's Office (the UK's data protection authority) released a position paper stating that choices such as Accept All and Reject All "must be presented with equal prominence."

Though the standard may not be crystal clear, businesses that use button asymmetry in their consent mechanisms are usually aware of their reason for doing so, and should know that it presents a compliance risk.

No Ability to Withdraw Consent

There is a general rule, applicable across most privacy laws, that is often overlooked by organizations: Whenever consent is collected from consumers, they should also have the ability to withdraw consent. Not only that, it should be just as easy for the consumer to withdraw their consent as it was to give it in the first place.

This means that if a consumer has given their consent to have cookies placed on their device, there must also be a readily accessible mechanism for changing their mind. Somewhere, ideally on every page, the consumer should be able access their cookie preferences and toggle each slider back and forth. If the cookie options become inaccessible once the person clicks Accept (or not very easily accessible, such as by burying a link in the privacy policy), that arrangement likely violates the GDPR’s consent rules.

Create Your Cookie Banner and More with TrueVault

Privacy compliance is complicated. Designing a GDPR-compliant cookie banner is just one task of many that businesses must carefully consider in order to avoid complaints from consumers and trouble with regulators. Without in-house privacy expertise, juggling all of the privacy rules from multiple jurisdictions can easily become overwhelming.

TrueVault simplifies privacy compliance by incorporating complex rules into an intuitive, step-by-step workflow. You can onboard vendors, publish notices, add cookie consent tracking, and more, in as little as a few hours. That includes publishing a cookie consent banner whose design incorporates all of the above rules by default, while still allowing for full customization according to your business’s specific needs.

To learn more about how TrueVault can help your business get compliant with the GDPR and U.S. privacy laws, contact our team today.