Noyb Guidelines on Cookie Banner Dark Pattern 2024
UniConsent
7 min read
Table of contents
The noyb (a European Centre for Digital Rights is an Austrian non-profit organization working in the privacy and data protection law) recently reported on the consent banner. It underscores the widespread use of deceptive practices in cookie consent banners and the need for stricter enforcement of data protection laws. The noyb highlighted specific non-compliance issues and provided recommendations to improve consent collection practices, aiming to ensure that user consent is informed and voluntary.
Noyb Guidelines on Cookie Banner Dark Pattern 2024
Background
In recent years, data protection authorities (DPAs) across Europe have received numerous complaints regarding cookie banners. In response, the European Data Protection Board (EDPB) established a task force in September 2021 to coordinate responses to these complaints. In January 2023, this task force published a report titled “Report of the Work Undertaken by the Cookie Banner Taskforce,” providing their opinions and recommendations on the violations found in consent banners across the web. The 2023 report emphasizes that the taskforce's findings represent only the minimum thresholds for consent banners and that national DPAs have the authority to adopt higher standards.
Cookie Banner Non-Compliance Risk Points
In the newest report, the noyb gives us some takeaways: For instance, almost all authorities agree that if there is an "Accept Cookies" option, there must also be a "Reject" option on the same layer of the consent banner. Pre-ticked checkboxes are not permissible. Consent is mandatory for cookies that are not strictly necessary.
Here are the complete points:
No Reject Button on the First Layer
Many consent banners do not provide an option to reject cookies on the first layer, leading users to believe they must accept cookies to continue using the site.
For example, a banner with only an "Accept" button and no visible "Reject" option on the first screen.
This practice leads to user frustration and higher likelihood of unintentional consent due to the additional effort required to refuse cookies.
Pre-Ticked Boxes
Some banners use pre-ticked boxes for consent, requiring users to uncheck them to reject cookies, which is not considered valid consent.
For example, consent options are pre-selected, and users must manually deselect them to opt out.
This practice does not constitute valid consent as it is not freely given, specific, informed, or unambiguous.
Deceptive Link Design
The "Reject" option is often presented as a less prominent link compared to the "Accept" button, misleading users into thinking acceptance is the only option.
For example, the "Accept" button is prominently displayed, while the "Reject" option is a small link embedded in text.
Users may not notice the reject option, leading to unintentional consent.
Deceptive Button Colours
Highlighting the "Accept" button over other options using different colours, making it more attractive and misleading to users.
For example, the "Accept" button is bright and eye-catching, while the "Reject" button is dull and blends into the background.
This design misleads users into thinking that accepting cookies is the default or only option.
Deceptive Button Contrast
Using different contrast ratios for "Accept" and "Reject" buttons, making the "Reject" button less visible and harder to notice.
For example, the "Accept" button has high contrast, while the "Reject" button has low contrast, making it difficult to read.
Users might unintentionally give consent due to the visual prominence of the "Accept" option.
Legitimate Interest Claimed
Some banners claim legitimate interest as a basis for processing personal data without clear opt-out options.
For example, a banner stating that data processing is based on legitimate interest without providing an easy way to object.
This can confuse users and potentially violate their rights under GDPR.
Inaccurately Classified Cookies
Misclassifying cookies as essential when they are not, preventing users from rejecting them.
For example, classifying analytics cookies as essential to avoid seeking consent.
Users cannot opt out of non-essential cookies, which should require consent.
Not as Easy to Withdraw Consent as to Give Consent
Withdrawing consent is often made more difficult than giving it.
For example, it is not easy-to-find "Withdraw Consent" button or link, unlike the prominent consent options.
Users might continue to share their data unintentionally due to the difficulty of withdrawing consent.
The overview of those key points:
| DPA/Cookie Banner Question | EDPB Report | Austria | Belgium | Czech Republic | Denmark | Finland | France | German DSK (DPAs) | Greece | Ireland | Italy | Luxembourg | Netherlands | Spain |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Requires cookie reject option on first layer | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Considers pre-ticked boxes illegal | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Considers a link option to be misleading | Sometimes | ? | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ✓ |
| Agrees that no nudging through different button colours should occur | Sometimes | ? | ✓ | ✗ | ✓ | ? | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ? | Sometimes |
| Agrees that no nudging through button contrast (compared to background) should occur | Sometimes | ? | ✓ | ✗ | ✓ | ? | ✗ | ✓ | ✓ | ✓ | ✓ | ✓ | ? | Sometimes |
| Relying on legitimate interest for installing non-essential cookies is illegal | ✓ | ? | ✓ | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ? | ✓ |
| Wrong classification of cookies and therefore installing them without consent is an issue | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ? | ✓ |
| Withdrawal is only permissible through a permanently visible floating icon | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
UniConsent's Compliance Solutions
UniConsent ensures cookie banner compliance by addressing these issues through:
- Visible Reject Button: Ensuring the "Reject" button and "Manage Option" button are as prominent as the "Accept" button on the first layer.
- Opt-In Mechanism: All consent options are unchecked by default, requiring active opt-in.
- Clear Design: Equally prominent and clear design for both "Accept" and "Reject" options.
- Consistent Button Colours and Contrast: Using similar colours and contrast levels for all options to avoid misleading users.
- User-Friendly Withdrawal: Providing "Consent Settings" for users to withdraw consent at any time.
About UniConsent
UniConsent is a part of Transfon's privacy-first User Experience Platform that serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: hello@uniconsent.com
Activate Google Consent Mode UniConsent to enhance the accuracy of your Google Analytics and Google Ads conversion data.
Set up Google Consent Mode →Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc
Sign upConsent Management Platform Resources
Google Consent Mode V2 Explained
New York Attorney General Releases Guidelines for Website Privacy Controls
Google's Recent Decision to Retain Third-party Cookies
Canada: Insights from Canada's Privacy Commissioner on Deceptive Design Patterns
Noyb Guidelines on Cookie Banner Dark Pattern 2024
Google Data Privacy Changes: Key Updates in July 2024
Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc
Sign up