Why your cookie banner is probably breaking the law and what you should do about it

Is your cookie banner breaking the law? Probably.

Most website owners will remember the rush many years ago, to comply with the “EU Cookie Law”. The original 2011 directive made cookie notices a part of internet life. But it didn’t really do much for people’s privacy. Compliance was at best — patchy. Some of us had notices, some of us didn’t. And nobody it seemed, really cared.

Skip to 2018 and everything changed as GDPR came into force. The regulations raised the standards for consent and brought with it the risk of huge fines for non-compliance — up-to €20 million or 4% of turnover whichever is higher. Smartly, many website owners decided to revisit their old cookie notice.

One goal of the regulations was to offer individuals real choice over the data collection they were subjected to by tracking technologies like Google Analytics and Facebook Pixel. But arguably, it hasn’t achieved that goal yet.

For most website visitors from the EU, the required changes had little impact on their privacy. The new banners were simply annoying. Websites began to beg visitors for consent to track them. Opt-in rates remained high as users defaulted to clicking accept in order to save themselves from the hassle of clicking deny, which would unleash an unwieldy dialogue of options.

The tracking continued…

But it wasn’t supposed to be this way. The truth is that most website owners got the regulations wrong. They bent the rules to protect their access to analytical data about how their websites are found and used, and maintain their advertising revenues by allowing trackers from ad networks.

Cookie notices nudged users to click “accept”, and hid the option to decline tracking behind multiple windows.

Deceptive design like this became standard practice.

A study authored by researchers at the Ruhr-Universität Bochum Bochum, Germany and the University of Michigan, US titled “(Un)informed Consent: Studying GDPR Consent Notices in the Field” studied how GDPR was being applied to cookie notices.

The researchers analysed over 5000+ websites with cookie notices and found that only around 11% of the websites surveyed met the basic GDPR requirements.

Similarly, the Irish Data Protection commissioner ran their own snapshot study between August 2019 and December 2019. They found (26%) of the controllers who responded used pre-checked boxes to signal consent to cookies, including to marketing, advertising and analytics cookies. Something which was made illegal under GDPR.

I found similar results in my own research. I ran a compliance test on a sample of 10 law firm websites (yes the people who should know what the guidelines are). I searched Google for “GDPR Solicitor” and took the top 10 results from law firms. My analysis found that only 1/10 had a valid cookie notice according to the GDPR. Many relied on a legal standard that was only valid under the original cookie law.

So far most website owners have been getting away with it, but it hasn’t gone unnoticed. In 2020, things are changing.

This year in response to confusion over the existing rules and the general poor levels of compliance we see across the internet. The European Data Protection Board (EDPB), who ensure the application of GDPR, released guidance on the standards of consent required. The guidance called out the most common failings, and gave examples which cleared up how the law should be interpreted. Following this publication, supervisory authorities in the UKIreland and Spain (the people who hand out the fines) updated their guidance, with Spanish and Irish authorities allowing a grace period for website owners to make changes.

With those grace periods soon expiring, and the first legal cases surrounding the use of cookies under GDPR and PECR reaching decision-time. I think now is the ideal time for anyone running a website to get familiar with the most common mistakes and figure out how you can fix them.

Common Mistakes

No consent, just a notice

Cookie notice reading this website uses cookies to improve your experience

Sometimes we’ll find a cookie notice that simply states something along the lines of “this website uses cookies to improve your experience”. With the option to dismiss the notice by clicking on a button reading “okay”, “got it” or worse still “I like cookies”. This type of notice is not legal, because it does not actually seek any consent. It just tells users’ that cookies are there and gives the user no option to consent to them or not. 

You can only use this type of cookie notice if you 100% do not use any unnecessary cookies. It’s worth noting that analytics cookies like Google Analytics do not count as necessary, and you cannot rely on legitimate interests for their use either.

You must offer a valid consent, accept (with the option to choose accept/deny each individual cookie) or deny. Similarly, consent by “scrolling” or “continuing to browse” is not valid.

Loading cookies before consent is given

Cookie notice reading accept and deny

Often we’ll find notices that load cookies such as Google Analytics or the Facebook Pixel before the user has given their consent – e.g. by clicking I agree. Some cookie mechanisms we find try to respect consent by disabling the cookies placed if the user indicates that they do not agree. But by this time, it’s too late. The guidelines are clear, non-essential cookies cannot be loaded on a user’s device without prior consent. 

You must get consent first.

If you are not sure if you’re currently loading cookies before gaining consent. Try using a chrome plugin like Ghostery. It tells you what cookies and tracking technologies are loaded when you visit websites, try it on your own site.

All cookies bundled into the one accept button

Cookie consent mechanism notice diagram - accept or deny

Then, there are the times where we find a cookie notice, with the option of accept or deny. Great! But when we dig further, we find that clicking the only accept button available  allows the setting of multiple cookies on the user’s device. 

The GDPR is clear, consent must be “specific and granular”. You need to offer people the chance to choose what cookies & tracking technologies they permit. Bundling these cookies into groups, such as “Advertising” – containing your Google Ads and Facebook Ads tracking, and “Analytics” – containing your Google Analytics or Hotjar tracking for example is ok. And yes offering a “accept recommended settings” or “accept all cookies” button is okay, but only when this exists alongside the option to manage cookies in a more granular way, e.g. individually or by type.

As clarified by the Planet49 judgment in October 2019:

“Consent does not need to be given for each cookie, but it must be given for each purpose for which cookies are used. Where a cookie is used for more than one purpose that requires consent, such consent must be obtained for all of those purposes separately.”

You must ensure your cookie consent is specific and granular. So each category of cookies, or each individual cookie can be selected.

Deceptive design practices

Deceptive Cookie Notice Design

Something which everyone will have experienced is loading a website and being presented with a cookie consent notice that nudges us by clever design to click on “agree”. 

Maybe the font size of the deny button is much smaller than the accept. Maybe the accept button is large, centered and in an inviting green colour? While the deny option, or manage settings option is displayed in a small, dull, difficult to see area.

For a while, this was, kind of tolerated. But now, things have changed. Recent guidance from Ireland’s data commissioner calls out this practice specifically. 

“If you use a cookie banner or pop-up, you must not use an interface that ‘nudges’ a user into accepting cookies over rejecting them. Therefore, if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or to one which allows them to manage cookies and brings them to another layer of information in order to allow them do that, by cookie type and purpose.”

You must ensure that your cookie consent options are clearly labelled, and offer a fair choice to the user. That means making the deny and accept options of equal prominence at least.

Pre-checked cookie options 

Cookie notice with prechecked consent boxes

We used to see a lot of this, but recent court rulings and guidance have changed things. Some cookie notices display all cookie options, grouping and individual cookies pre-checked. This is no longer valid. The EU have made it clear that valid consent cannot involve pre-checked boxes. 

You must ensure that any options on your cookie consent notice are unchecked when accessed.

Solutions

So if you have a problem, what do you do?

First review your existing mechanism, maybe you just need to update the software behind it or tweak some settings. 

If that doesn’t work, it’s time to find a solution that keeps you legal. You don’t want to risk financial penalties or reputational damage from investigations and fines from supervisory authorities.

Depending on your technical skills there are a few options. You could use some open source software like Osano (free option and paid option) or Klaro (free) to implement your own cookie consent solution. Alternatively, you could outsource with a paid solution like Iubenda (10% discount), which offers some other advantages, like minimal technical knowledge required and no need to pay for developers to maintain it.

Lastly, feel free to get in touch with the team at Measured Collective if you’d like us to check if your website is compliant or not.