Cookie consent popups can be like the choice of the red pill and blue pill — confusing. Users face this situation on the Internet every day, thanks to the GDPR. But, cookie prompts often does not give any real choice to the consumer. Regulators and privacy-watchers have called attention to broken cookie consent mechanisms in the EU and the prevalence of “dark patterns” as well as the lack of cookie banners on many websites across the EU.

While cookie notices are a noticeable aftermath of the GDPR, it is often overlooked by marketers. At a time, when privacy has taken precedence for consumers, businesses must pay close attention to practices that may breach their trust. If your business website has a non-compliant cookie banner or if you haven’t set up a cookie banner yet, here’s how you can rectify that. First, let’s start with the basics.

What is cookie consent?

Cookies are categorized as ‘online identifiers’ in the GDPR and therefore can constitute personal data. This means similar to the opt-in forms and emails, GDPR requires an individual’s consent to deploy cookies on their browser. Cookies other than strictly necessary ones require opt-in consent and the consent acquired should be fit to GDPR standards.

As per Article 4 GDPR, consent should involve a clear affirmative action and should be freely given, specific, informed and unambiguous. Article 7 states additional requirements – proof of consent, ability to withdraw consent and that consent requests have to be easily accessible, use clear and plain language.

What’s the state of cookie consent in the EU?

A study on cookie consent banners in the EU noted that 57.4% of the consent notices had interface designs that steered users towards accepting privacy-unfriendly options or “dark patterns”. Another study on cookie consent banners reported that cookie notifications fail to comply with the principles of EU privacy laws. Only 11% of cookie consent mechanisms “meet the minimal requirements of European law”.

A similar analysis by the Irish Data Protection commissioner reported that 26% of the websites studied had pre-checked boxes to signal consent to cookies, including for marketing, advertising and analytics cookies. In a May 2020 judgement, the German Federal Court of Justice noted that “pre-set checkboxes” (opt-out) do not represent effective consent. In a new study of 17,000 websites and 7,500 cookie banners by the University of York, one in four websites were found to not comply with basic cookie consent rules while more than 60% of websites stored third-party cookies.

What are dark patterns in cookie consent?

Dark patterns are interface designs that mislead users into a certain behaviour that they may not otherwise take. These range from pre-ticked boxes, default ‘on’ toggles, nudges etc.

Look at the cookie popup below. It prevents the user from browsing the website till they take an action regarding this popup. Such cookie notices are referred to as cookie walls and are not legal in the EU. The cookie popup also nudges the user to accept and continue i.e. the user doesn’t have a free choice.

Cookie Consent: Here’s What You Need to Know

Now, take a look at the cookie banner below. While it presents detailed information about the use of cookies and other tracking technologies, there’s a catch. If the user clicks on accept, they will consent to the use of all the cookies and trackers. So, how can users reject the use of cookies? They have to click on ‘Manage choices’ and then confirm their choices in the expanded window.

Cookie Consent: Here’s What You Need to Know

A study reported that placing cookie settings or information below the first layer “renders it effectively ignored”. The GDPR states that it should be as easy for a user to withdraw consent as it is to give consent. In this example, the user has to take additional steps to reject cookies on this banner. So, is it then cookie compliant? No!

What to avoid in cookie consent banners

Here’s a list of dark patterns and non-compliant practices that you need to steer clear of to achieve GDPR compliance for cookie consent.

  • Notice-only cookie banners with no option to ‘accept’ or ‘reject’
  • Pre-ticked boxes in cookie settings
  • Cookie banners with no ‘reject’ buttons
  • Cookie walls that stop website browsing
  • Cookie consent bundled in the privacy policy
    Obstructing banner that disrupts site’s content or design
  • Confusing buttons that nudge users into accepting cookies
  • Unclear language in the banner or buttons that nudge users

Are there fines for cookie consent violations?

GDPR fines are calculated based on several criteria (read here), but primarily there are two levels of fines. The first level of fines goes up to €10 million or 2% of the company’s annual income, whichever is higher. The higher level of fine can go up to €20 million or 4% of the company’s annual income, whichever is higher.

Data protection authorities in the EU have increasingly started slapping fines for cookie consent violations. From Google’s €100 million to Amazon’s €35 million fine, unlawful cookie consent practices have forced regulators to drop record fines. While smaller websites and startups have not faced the heat like the big tech, things are changing.

Dark patterns and blatant cookie consent violations prompted privacy rights group noyb (of Schrems II fame) to initiate a campaign to file complaints against websites in the EU that flout the rules. As the proposed ePrivacy Regulation will soon be passed into law, cookie consent in the EU will only be further strengthened.

The guide to GDPR compliant cookie consent

Here’s a guide on the GDPR’s requirements for cookie consent and how you can implement a foolproof cookie consent banner for your website.

Display a compliant cookie banner

Your cookie banner should have information about your cookie use in plain language and briefly state the purpose of cookie use. It should have an ‘accept’ and ‘reject’ to consent/decline to the use of cookies. If the user wishes, they should be able to give granular consent to cookie categories or change their cookie preferences. The cookie banner should have a cookie category preview with a cookie audit table that states each of the cookies, their use, duration and the domain that creates them.

Cookie Consent: Here’s What You Need to Know

This is an example of a compliant cookie consent notice that gives users the option to accept and decline cookies, at the same level. You may use a cookie consent solution like CookieYes to add a GDPR compliant cookie consent banner to your website. You can auto-block third-party scripts, customize your cookie consent banner, and keep a centralized record of user consents.

Customise your cookie banner for accessibility

The cookie banner should be in sync with the design and branding of your website and should not block the content on the website. A footer or header banner can help in this regard. Keep the style clean, so it is noticeable for a user on their first visit to your website.

Cookie Consent: Here’s What You Need to Know

Here’s an example of a mobile-responsive cookie popup. Cookie popups should also be optimized for mobile devices so that it does not tamper with the site’s user experience. With over 55% of Internet users using mobile phones to purchase products online, it is important that everything on your website, including cookie banners, are made for an optimal mobile experience.

Auto-translate your cookie banner

Users must be presented with a cookie banner in their preferred language. Displaying only a default-language banner does not respect the user’s right to be informed as per the GDPR. Cookie banners should be optimized to respect a consumer’s privacy rights. You should make the banner available in at least the most widely spoken languages in the EU.

Geo-target your cookie banner

If your website caters to a global audience, you may restrict your GDPR compliant cookie banner to only users in the EU. You should also take note of the privacy regulations that affect different locations and add a consent mechanism that adheres to the respective laws. For instance, if your website has visitors from the US, you should display a CCPA opt-out notice.

Auto-block third-party scripts till the user consents

Your website should not drop cookies until the user gives their consent. Third-party scripts are often not within the control of website publishers, therefore you should implement a way to auto-block cookies set by third parties like Google Analytics, Facebook pixels etc.

Display a consent call-back button

As per GDPR, the ability to withdraw consent is an important provision to comply with GDPR’s standards of consent. It should be as easy to revoke consent as it is to give consent. What this means is that once the user gives consent and the banner disappears, you should display a widget to call back the consent banner. This way, the user does not have to navigate and search for the method to revoke consent.

Record user consents for proof of consent

GDPR stresses the importance of recording consent. You should be able to show proof that the users have given their consent to demonstrate your compliance, whenever required. The consent record should include details of who consented, the time and date of receiving the consent and consent status. Ideally, you should keep a centralized record of users’ anonymized IP address, country, consent status (cookie categories they consented to), and time and date of consent.

Link your cookie policy on the banner

An up-to-date cookie policy is necessary for foolproof cookie compliance. You should link your cookie policy in the cookie banner for complete transparency regarding your cookie usage. For this, you should periodically scan your website for cookies and update your cookie audit table to account for newly added or removed cookies.

Cookie consent checklist for GDPR compliance

It’s high time that businesses stop paying lip service to cookie consent and take control. Not just to save yourself from regulatory scrutiny and fines, but also to respect user privacy.

  • Display a custom cookie consent banner with custom design.

  • Provide a user-friendly and mobile-responsive layout.

  • Inform users about cookie usage in plain language.

  • Display auto-translatable banner as per user’s browser language.

  • Display ‘accept’ and ‘reject’ buttons on the banner.

  • Showcase different cookie categories used on your website.

  • Provide granular options to opt-in for different cookie categories.

  • Auto-block third-party cookie scripts till the user gives consent.

  • Link to a compliant cookie policy on the cookie banner.

  • Display cookie widget on the website so users can easily withdraw consent.

  • Record user consent for proof of compliance.

  • Geo-targeted banner as per the user’s location.

A cookie consent solution like CookieYes can help you fulfil all the requirements as per the cookie consent checklist and will be a great asset to add to your tech stack. It will help you to easily manage all your GDPR cookie consent requirements, auto-block third-party cookies, track and store all your user consents. Not just GDPR, CookieYes helps you comply with multiple privacy laws like the Data Protection Act (UK), CCPA (California), CNIL (France) and LGPD (Brazil).