In 2019, the European Court of Justice (CJEU) made it very clear that a pre-ticked consent box is illegal. This resulted in thousands of website owners’ updating of the cookie banner and consent box theme on European websites.
However, most consent boxes are still not complying with the rules.
The cookie rules are simply too complex to be used in a legal and clever way at the same time. And it does not help the communication that the user’s decision will typically be made within seconds of interacting with an application or website.
The result is a simplified decision matrix where the user must either accept all, accept necessary or deny all (cookies).
Result of the typical decision matrix:
Full denial from the user = Limited data collection for the application owner.
Full acceptance from the user with compliance flaws = Illegal and (oftentimes) excessive data collection.
Full or selected acceptance from the user without compliance flaws = Legal data collection
Summary of the Cookie Rules
From a legal perspective, one could write numerous articles on the different aspects of the regulation. For this article, I have decided to present a condensed overview of the rules.
The application owner must inform the application user of the use of cookies.
Cookies cover many types of traffic data (e.g. small text files, pixels and other tracking) to be stored on the user’s device (e.g. phone, laptop, TV, etc.).
The application owner must for all other cookie types than “necessary cookies” collect a consent from the user.
A consent must be the result of active behaviour on the part of the user.
A consent requires that the website user has given his or her consent “unambiguously” and in line with the basic consent rules: Informed, specific, voluntary, withdrawable.
The user’s silence, pre-ticked boxes or inactivity is expressly excluded from lawful practice.
Examples of typical errors which would in my opinion be illegal practice
In my experience, many application owners wish to nudge a consent as much as possible in order to support the commercial side of the business. Here are some examples of typical errors when implementing cookie consent solutions that – in my opinion – would be illegal practice:
A denial requires you to fold out the consent menu whereas accepting is available instantly (fails point 5 - unambiguous).
The “accept all” button is combined with a graphic of on-ticked “necessary” cookies and off-ticked other purpose cookie boxes (fails point 5 - unambiguous).
The reject/deny all is hidden in the graphics making it harder to identify this function rather than the accept function (fails point 5 - unambiguous).
Multiple purpose cookies are tied together in a choice of deny or accept (fails point 3 – separation requirement).
The pop-up consent manager disappears after choice selection and cannot be recalled (fails point 5 – withdrawal issue).
The pop-up can be forced closed by the user without using the choices (fails point 4, 5 and 6 – for many reasons).
The choice of necessary cookies results in the cookie banner reshowing for each page click on the website (fails point 5 – at some point it will no longer be voluntary…).
What is the secret then?
First question to ask yourself is whether you use cookies and why it is important.
If you find out that your business relies on the collection of cookies then you may think of separating cookies set by you (first party cookies) and cookies set by others (third-party cookies). This means that instead of grouping cookies based solely on functions, you group them by deployer and functions. It would be interesting to see if you could turn around the “deny all” choices to consents supporting your business.
Hopefully, you may also have some ideas yourself after reading this article.
Join our in-house legal & privacy community
Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.