Do You Operate in the EU? Avoid these Cookie Banner Setup Mistakes
You have an obligation to set up your website in such a way that you obtain a user’s permission before storing cookies on their device. This obligation applies to all types of cookies, except cookies of a functional nature and as such absolutely necessary for the correct functioning of your website, such as those that help remember the user’s login credentials without which the users would be unable to access or use the website.
This obligation has given businesses many headaches over time and has, sadly, the potential to lead to penalties being applied to businesses where cookie banners are set up incorrectly. Unknowingly, many businesses across the EU have conducted what may be called ‘poor practices’ rather than best practices, in their attempt at staying compliant, and this has resulted in complaints submitted to the relevant data protection authorities.
To help you sort this out, and relying on the EDPB’s guidelines, we’ve come up with a list of mistakes to avoid when setting up your cookie banner for the first time, or mistakes to fix now, before your business joins the ranks of those penalized for ‘poor compliance.:’
Mistake 1: Failing to Display a ‘Reject All’ Button
Many cookie banners will give users the options to accept the storage of cookies by clicking an ‘Accept All’ button, or to view additional options, but they do not include a button allowing users to simply reject all cookies that are not of a functional nature, and thus essential. Because no cookies can be placed without consent, and consent under GDPR requires an unambiguous action on the part of the user, your cookie banner should also include the ‘Reject All’ button to allow for the expression of consent through an action performed by the users.
Mistake 2: Using Deceptive Designs for Links
It has been noticed that many cookie banners display a button for the acceptance of cookies but for the refusal of these, there is instead a link that is either embedded in the text of the cookie banner, or outside the cookie banner entirely, making it difficult for users to notice this option, and invalidating consent. Consent has to be obtained clearly and unless a user understands what they are consenting to, or how to express their consent, this is not valid. Making use of such designs as a hyperlinked word like ‘Refuse’/’Reject’ or ‘Continue without accepting’ might cause users to give consent simply because they did not see the hyperlinked word and as such were forced to give consent so they can make use of your website.
Mistake 3: Using Deceptive Colors and Contrast for Buttons
When configuring your cookie banner, using the branding colors of your business is a natural step of the process. However, pay attention to the button colors and contrasts, especially when it comes to the contrast ratio between the button color and the text displayed. If the text color of the buttons is chosen in such a way that it causes the text to become unreadable when in contrast to the background color of the button itself, consent might become unintended and thus invalid.
Mistake 4: Having Pre-ticked Boxes
It is against both the requirements of the GDPR and the ePrivacy Directive as related to consent for your cookie banner to contain pre-ticked boxes on its second layer, as this does not constitute valid consent. Your website users cannot be provided with pre-ticked boxes, for example, for the categories of cookies permitted as this is seen as you are opting in on their behalf.
Mistake 5: Wrongly Classifying Cookies
Although the features of cookies change constantly, if you classify cookies and processing operations that use the personal information of users as “essential” or “strictly necessary” you have to be able to provide relevant documentation to support the classification you made. Unless you can provide such documentation whenever it is asked by the competent authorities, you run the risk of being non-compliant in your cookie banner setup.
Mistake 6: Not Display a Consent Withdrawal Option
According to both the ePrivacy Directive and the GDPR, both the expression and the withdrawal of consent have to be made easily accessible to users. While not an obligation, at least not at this time, displaying an easily accessible solution on your website that allows users to withdraw their consent at any time, such as a hovering icon that is permanently visible, will be seen as a good step towards compliance and will prevent your business from being investigated by competent authorities when your consent withdrawal mechanisms would be challenged.
As the world of data privacy evolves, so are the requirements and best practices that help businesses stay compliant. To read more about the regulations we mentioned above, you can access our overviews of these on our Regulations page.