Introduction
Too many consent banners deny users real choice about access to their personal data. Cookiebot™ shares best practices for a banner to GDPR compliance requirements.
To present a consent banner that is compliant with the GDPR and other global data privacy regulations, you mustn’t coerce (nudge, manipulate, pressure…) your website or app visitors into consenting to tracking or other uses of their personal data. It also has to be as easy to opt out, change, or withdraw consent later as it is to opt in.
When you create an account and implement Cookiebot CMP, the default banner configuration enables GDPR compliance right out of the box. If you change the preset settings for any reason, in this guide we’ll show you how you can configure your banner to avoid any coercion to obtain consent. We will also help you ensure that you only set cookies in the categories that the visitor has consented to.
Background on NOYB's GDPR noncompliance complaints
Non-profit organization NOYB ("None Of Your Business") is focused on protecting consumers' right to privacy. They have developed software to quickly detect whether websites'cookie consent banners are GDPR-compliant. This software was developed due to the number of violations seen in banner configurations. NOYB claims such user interface elements are created explicitly to make it difficult for users to opt out of cookie usage that collects their personal data (also referred to as "dark patterns").
This software is linked to an automated system that generates GDPR compliance complaints and notifies the company behind the website of the violations discovered. If no action is taken over the course of the next month after notification, these companies risk an official complaint being filed with relevant data protection authorities.
To help ensure cookie banners are compliant with the GDPR regulation and to address noncompliance issues NOYB has found, we have created an overview of common GDPR violations with consent banners:
- no "reject" option on the first layer
- pre-ticked boxes on second layer
- deceptive link design
- deceptive button colors
- deceptive button contrast
- legitimate interest as the legal basis
- inaccurate classification of cookies
- not as easy to change or withdraw consent as to give it
We have also included information about how you can check if your Cookiebot CMP banner configuration is GDPR-compliant.
Start by opening your banner configuration settings:
- Log in to your account
- Go to the Dialog tab in the Settings section
No reject option in the first layer
Opting out of cookies must be as easy as opting in, which means the Reject option should be on the same level as the Accept option. This can easily be achieved by using the Reject all / Selection / Allow all banner type. (Example A in the screenshot.)
- Select Multilevel from the Type drop-down menu
- Save your settings using the checkmark in the blue bar on the left side
Pre-ticked boxes for categories
Cookiebot CMP can be configured to enable the user to submit granular consent by selecting among a number of purpose categories. The user would tick a checkbox for each category to which they consent. For example, they could accept cookies to remember their preferences on your website, but deny being tracked for marketing purposes. Cookiebot CMP is configured by default to provide these choices with no pre-ticked selections.
This configuration setting is only applicable when using the banner types Multilevel and Inline Multilevel, as these open up new configuration options to check the category boxes. In order to be GDPR-compliant, make sure that none of the checkboxes in your cookie consent banner are pre-ticked.(Example B in the screenshot.)
- Select Multilevel or Inline multilevel from the Type drop-down menu to confirm that all category checkboxes are unchecked. The Necessary category will always be pre-checked in the banner as that is required for the normal functioning of the website or for the website to be able to provide intended services. Therefore, cookies in this category do not require user consent.
- Save your settings using the checkmark in the blue bar on the left side
Deceptive design: link instead of button only to reject consent
On the initial consent request and submission, the opt in and opt out options should have equal appearance, accessibility, and weight. This means that you should avoid having a button for the opt-in option, but something different and less visible, like a link for opting out.
Using buttons or links for both opt-in and opt-out is acceptable, provided they are equally presented.
Because of this noncompliance risk, this mixed consent option design is not a choice on any of our default banner templates.
If you currently have a banner with no opt-out button or have configured a link to opt-out on your banner text that doesn’t match your opt-in button, it is strongly recommended to remove this setup and use the solution mentioned in the “No ”Reject“ option in the first layer” section above.
Deceptive design: button contrast
All options in the CMP interface must have equal weight and visibility.
The colors and contrast of the buttons on any default banner type do not differ between the opt in or opt out options, and any customized UI options should be equal as well.
Deceptive design: button color
If you use the Allow all/Selection buttons, both have the same color (default hex #188600).
The Reject all / Selection / Allow all buttons have green (default hex #188600) opt-in options and dark gray (default hex #333333) opt-out options by default.
These different colors were chosen to make it easy to distinguish between opting in and opting out. Neutral colors were chosen to avoid discouraging opt outs.
You can change the colors of the buttons by selecting Custom in the Theme drop-down menu. Using the same color for all three options is strongly recommended.
Legal basis: legitimate interest
The use of legitimate interest instead of consent as a legal basis for collecting and processing personal data is under increasing scrutiny by privacy advocates and data protection authorities. It has been removed as a legal basis option under some privacy laws.
Using legitimate interest as legal basis for tracking and personal data processing is not offered in Cookiebot CMP and therefore not a part of the standard banner settings.
As of the update to IAB Europe’s Transparency and Consent Framework version 2.2 (TCF v2.2) legitimate interest can no longer be selected as a legal basis for advertising and content personalization. Only consent can be selected.
It is possible to select legitimate interest in the TCF v2.2 for some other purposes, though, so it is available in Cookiebot banners.
Please see Cookiebot and the IAB Consent Framework – Cookiebot Support for more information about the IAB's TCF integration, configuration, and the IAB’s policy for the use of legitimate interest, which is not controlled by Cookiebot™ the TCF is a third-party integration in the CMP and not a native feature.
Inaccurate classification: non-essential cookies categorized as strictly necessary
Known cookies will be assigned a generally appropriate category. In most cases this categorization should not be changed.
For example, your marketing department will likely find analytical data extremely valuable and might make the argument that cookies designed to track a user across pages are necessary (and thus could be activated without user consent).
However, necessity is defined as “required for the website to function normally, and/or to provide the service the website is meant to provide”. There are extremely few instances where this would be the case for cookies that by default have been categorized as statistical or marketing. For this reason, we strongly recommend using the default categorizations.
In order to be able to give informed consent, it is essential that you assign cookies to the appropriate category, with a purpose description, during implementation or as soon as possible. This can be done in the Cookies section in the Manager.
Consent management: should be as easy to withdraw as provide
Cookiebot CMP enables users to change or withdraw consent that they have previously given.
If you have correctly followed the last part of step 4 in our manual installation guide or you have used step 3 in our standard installation guide, then information about the user’s options to change or withdraw consent are automatically included in the Cookie Declaration on your website. You can also enable the Privacy Trigger on your website and have this option easily and visibly available for your users at all times.
If you have not made use of the Cookie Declaration, then you must create your own option for the user to change or withdraw consent. See our article: What is the Cookie Declaration (cookie policy) and what is included in it? for more information about implementing the Cookie Declaration and How can the user change or withdraw a cookie consent? for alternative ways to compliantly provide this option.
In addition to providing the functionality, you also need to inform visitors that they can change or withdraw their consent at any time, and provide them with instructions to do so if this is not intuitive. As best practice for user experience, we recommend always providing instructions for user interactions with the CMP.
Other GDPR requirements
There are a number of GDPR requirements that are also relevant to website owners but not related to the specific use of cookies and online tracking, so not included in the Cookiebot CMP.
You must disclose that users are entitled to:
- access, correct, delete and/or limit processing of their personal data and receive a copy of their personal data so that it can be used by another processor (data portability)
- lodge a complaint with a supervisory authority (Art. 77 GDPR)
Users must also be provided with information about how to exercise these rights and an easily accessible contact method for the data controller to do so (e.g. website owner). This information is commonly incorporated in the Privacy Policy on the website.
Please consult with qualified legal counsel and/or a data privacy expert familiar with GDPR requirements to help ensure your consent management is compliant. Different EU countries may also have additional laws affecting consumers’ rights and data privacy that must be observed, and different EU countries’ data protection authorities may approach enforcement differently.
If you have questions or need assistance with the configuration of your Cookiebot CMP consent banner, please contact our Support team.
If you're struggling with the configuration of your banner, have a question, or are otherwise in need of assistance; You can always reach out to our support team.
Comments
0 comments
Please sign in to leave a comment.