Introduction
A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly.
Max Schrems, Chair of NOYB
In order to have a GDPR compliant banner the general rule of thumb should be that you mustn’t coerce (“nudge”) your visitors into consenting to tracking, and it should be just as easy to opt out as it is to opt in.
You also need to ensure that a visitor can change their mind later and change or withdraw their consent all together.
When you create an account with Cookiebot, the default banner configuration will be GDPR compliant. If you for any reason have changed the presets, in this guide we’ll show you how you can configure a banner that uses no coercion to obtain consent and how to ensure that you only set cookies in those categories that the visitor has consented to.
NOYB aims to end “cookie banner terror”
Non-profit organization NOYB ("None Of Your Business), striving to protect the right to privacy, has recently developed a new software used to quickly detect whether cookie banners are GDPR compliant. This software is based on a number of violations often seen in banner configurations, NOYB claims are created explicitly to make it difficult for users to opt-out of cookies (also referred to as "dark patterns"). This software is linked to an automated system that generates GDPR complaints and notifies the company behind the website of the violations discovered. If no action is taken over the course of the next month, these companies risk an official complaint filed with the relevant authorities.
Following up on this NOYB campaign to make sure cookie banners are compliant with GDPR legislation, we have created an overview of these violations1 and how you can check if your Cookiebot banner configuration is compliant.
This article will be updated as we receive more information from NOYB, particularly in regard to a full list of violation types.
In order to do this step-by-step check, you can start by opening your banner configuration settings:
- Log in to your account https://manage.cookiebot.com/goto/login
- Go to the "Dialog" tab, on the "Settings" section
A. No „reject“ option on the first layer
Opting out of cookies should be just as easy as opting in, which means the "reject" button should be on the same level as the "accept" button. This can easily be achieved by using the "Reject all / Selection / Allow all" banner type A.
- Select "Multilevel" from the "Type" dropdown menu
- Save your settings (tick mark in the blue bar on the left-hand side)
B. Pre-ticked boxes for categories
Cookiebot can be configured to allow the user to submit a granular consent by selecting between a number of purpose categories by ticking a checkbox for each category. The user could e.g. accept cookies to remember the user’s preferences on your website, but deny being tracked for marketing purposes. Cookiebot is by default configured to provide these choices with no pre-ticked selections.
Applicable only when using the banner types "Multilevel" and "Inline Multilevel", as these open up new configuration options to check the category boxes. In order to be GDPR compliant, make sure that none of the checkboxes in your cookie consent banner are pre-ticked:
- Select "Multilevel" or "Inline multilevel" from the "Type" dropdown to menu ensure that all category checkboxes are unchecked. The “Necessary” category will always be pre-checked in the banner as they are required for the normal functioning of the website, or for the website to be able to provide the service it is intended to provide. Therefore, cookies in this category do not require consent.
- Save your settings (tick mark in the blue bar on the left-hand side)
C. Link instead of button to reject - Deceptive design
On the initial consent submission, the opt-in and opt-out options should have equal weight. This means that you should avoid having a button for the opt-in option combined with a link for opting out.
For this very reason, this design cannot be chosen on any of our default banners.
If you currently have a banner with no opt-out button and have configured a link to opt-out on your banner text, please consider removing this and using the solution mentioned in section A instead.
D. Deceptive button contrast
Similar to the previous point, all options must have equal weight and a different contrast for different options is not advisable.
The contrast of the buttons on any default banner type do not differentiate between opting in or out.
E. Deceptive button color
If you use the "Allow all/selection" buttons, both buttons have the same color (default #188600).
The "Reject all / Selection / Allow all" buttons by default have green (default #188600) opt in options and a dark gray (default #333333) opt out option. The different colors were chosen to make it easy to distinguish between opting in and opting out, but neutral colors were chosen to avoid discouraging an opt-out.
You can change the colors of the buttons by selecting “Custom” in the “Theme” dropdown menu if you prefer using the same color for all three options though.
H. Legitimate interest
The use of legitimate interest instead of consent is a focus area for NOYB and others. Using legitimate interest as legal basis for tracking is not a functionality/feature offered in Cookiebot CMP and therefore not a part of the standard banner settings.
Legitimate interest is part of the IAB integration that can be enabled on a Cookiebot banner though. Please see Cookiebot and the IAB Consent Framework – Cookiebot Support for more information about the IAB integration, configuration and IAB’s policy around the use of legitimate interest which is not controlled by Cookiebot as an integrating CMP.
I. Inaccurate classification - Non essential cookies marked up as strictly necessary
Known cookies will have been assigned a generally appropriate category. In most cases this categorization should not be changed.
For example: Your marketing department will likely find analytical data extremely valuable and might make the argument that cookies designed to track a user across pages are necessary.
Keep in mind though that necessity is defined as “required for the website to function normally, and/or to provide the service the website is meant to provide”. There are extremely few instances where this would be the case for cookies that by default have been categorized as statistical or marketing cookies. For this reason, we recommend using the default categorization.
In order to be able to give informed consent, it is essential that you assign cookies the appropriate category (and a purpose description) at your earliest convenience. This can be done on the Cookies section in the Manager.
K. Withdrawing consent should be as easy as giving it.
The possibility for the website user to withdraw - and/or change - a consent is included in the Cookiebot solution. If you have correctly followed the last part of step 4 in our manual installation guide or you have used step 3 in our standard installation guide then the options for the user to change and withdraw consent is included in the Cookie Declaration on your website. You can also simply enable the Privacy trigger on your website and have this option easily and visibly available for your users at all time: The Cookiebot CMP Privacy trigger.
If you have not made use of the Cookie Declaration, then you must create your own ways for the user to withdraw his consent. See What is the Cookie Declaration (cookie policy) and what is included in it? for more information about implementing the Cookie Declaration and How can the user change or withdraw a cookie consent? for alternative ways to provide this option.
Keep in mind that you also need to inform visitors that they can withdraw their consent and provide them with instructions to do so if this is not intuitive.
Other GPDR requirements
There are a number of GDPR requirements that are relevant for you as a website owner but that are not related to the specific use of cookies and online tracking and therefore not covered by the Cookiebot solution.
For example, you must disclose that the user is entitled to access, correct, delete and limit processing of personal data, disclose that the user is entitled to receive personal data so that they can be used by another processor, and disclose that the user has the right to lodge a complaint with a supervisory authority (GDPR Article 77). This is information that many choose to incorporate in the Privacy Policy on their website.
Please consult the GDPR legal text or a trusted source (e.g. the Data Protection Authority in your country) for a full overview of the requirements and to help ensure your website meets all those requirements.
A list of all national Data Protection Authorities in the EU can be found here.
If you're struggling with the configuration of your banner, have question, or are otherwise in need of assistance; You can always reach out to our support team: support@cookiebot.com
1 Violation types as defined by NOYB
A. No "reject" option on the first layer
B. Pre-Ticked Boxes on Second Layer
C. Deceptive Link Design
D. Deceptive Button Colors
E. Deceptive Button Contrast
F. Currently unknown - awaiting information from NOYB
G. Currently unknown - awaiting information from NOYB
H. Legitimate Interest Claimed
I. Inaccurate Classification of Cookies
J. Currently unknown - awaiting information from NOYB
K. Not as easy to withdraw as to give consent
Comments
0 comments
Please sign in to leave a comment.