Guide: A lawful GDPR cookie consent pop-up
The issue of non-compliant cookie banners has become a significant focus for data protection authorities, with several major tech companies being fined for violations. The most common violation appears to be the lack of a straightforward refusal mechanism for users, resulting in a non-compliant cookie banner, with the French data protection authority, CNIL, leading the charge in penalizing companies for this infringement.
Conlusion first
For those of you who just want the conclusion on how to design a lawful GDPR cookie banner, here is the recepie:
Clear Indication: The banner should clearly indicate what it is about, the purpose of the consent being sought, and how to consent to cookies. The user should be able to understand what they consent to and how to do so.
Accept and Reject Options: The banner should provide both accept and reject options on any layer with a consent button. The absence of a refuse/reject/not consent option on any layer with a consent button is not in line with the requirements for valid consent.
No Pre-Ticked Boxes: Pre-ticked boxes to opt-in do not lead to valid consent. Consent must be expressed by a positive action on the part of the user.
No Deceptive Design: The banner should not be designed in a way that gives users the impression that they have to give consent to access the website content, nor that clearly pushes the user to give consent. For example, it should allow the continuation of the navigation without cookies from the first level.
Easy Withdrawal of Consent: Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on a visible and standardized place. The possibility to withdraw consent, the ability to withdraw consent at any time, and the ease of withdrawal of consent must be as easy as to give consent.
For those of you who need more persuasion or maybe needs to persuade someone in your organization, we have gahtered a comprehensive overview of important events on this topic. Here you have 275 million reasons and more on why it's wise to have an compliant cookie banner.
Google fined 150 million Euros
Google was fined a total of 150 million euros on December 31, 2021, for violations related to cookie consent on google.fr and youtube.com. The CNIL concluded that users couldn't refuse or accept cookies as easily as required by law. The refusal mechanism for cookies was deemed more complex than the acceptance mechanism, effectively discouraging users from refusing cookies. This was considered an infringement of Article 82 of the French Data Protection Act, which upholds the freedom of consent for Internet users. Google was fined 90 million euros for Google LLC and 60 million euros for Google Ireland Limited. This significant fine was justified by the number of people affected and the considerable profits that the companies make from advertising revenues indirectly generated from the data collected by cookies.
Goolge changed their cookie consent across all of EU after the CNIL case. Here is a before and after comparison:
 |
|---|
| The "Reject all" button is moved to the front. |
Microsoft hit with 60 million Euro fine over cookie banner non-compliance
On December 19, 2022, the French data protection authority (CNIL) fined Microsoft Ireland Operations Limited €60 million for failing to comply with cookie consent rules, a significant GDPR-related penalty. The fine resulted from a complaint about the conditions for depositing cookies on "bing.com". The CNIL found that cookies, used in part for advertising purposes, were placed on users' devices without their consent. A significant issue was the absence of an easy way for users to refuse cookies, a violation of the French Data Protection Act, which mandates explicit user consent for such cookies. The fine was justified based on the scope of data processing, the number of data subjects, and the profits the company made indirectly from data collected via cookies. In addition to the fine, the CNIL issued an order requiring the company to obtain the consent of individuals residing in France before depositing cookies and tracers with advertising purposes on their terminals within three months, with a penalty of €60,000 per day for non-compliance.
Facebook fined 60 million Euros for cookie banner violations
In a significant move, CNIL imposed a fine of 60 million euros on Facebook Ireland Limited on December 31, 2021, due to its non-compliant cookie consent practices. The company was found to make it difficult for users to refuse cookies as compared to accepting them, effectively affecting users' freedom of consent. The CNIL's investigation into Facebook's practices revealed that refusing cookies required several clicks, whereas acceptance required only one, and the option to refuse cookies was confusingly labeled as "Accept Cookies". Additionally, the company was ordered to provide a simple means for users to refuse cookies within three months, or face a penalty of 100,000 euros per day of delay. The CNIL asserted its jurisdiction over such matters, as the use of cookies falls under the scope of the ePrivacy directive and is conducted within the "framework of the activities" of Facebook France, the French establishment of the Facebook group.
Facebook changed their cookie consent across all of EU. Here is a before and after comparison: 
The "decline optional cookies" button is moved to the front.
TikTok fined 5 million Euros
On 29 December 2022, TikTok was fined 5 million euros for similar reasons. The CNIL found that users of tiktok.com couldn't refuse cookies as easily as they could accept them. Users were also not adequately informed about the purposes of the different cookies. This was deemed a violation of Article 82 of the French Data Protection Act. The fine amount was decided based on the breaches identified, the number of people concerned, including minors, and the CNIL's previous communications stating that it must be as simple to refuse cookies as to accept them.
Watch out - an automated bot might check your website and file a complaint
The European non-profit organization, noyb, is playing an instrumental role in combating the pervasive non-compliance with GDPR cookie consent requirements. They assert that users' consent for cookies should be actively given, rather than implied or passively assumed. This translates to a clear affirmative action, such as ticking a checkbox, being necessary for signaling consent.
To enforce this, noyb has developed an automated system to identify and lodge complaints against companies infringing these requirements. They have already issued over 500 complaints, aiming to bring an end to what they term as "cookie banner terror". The complaints are based on a simplified model: they emulate a user visiting a website and assess whether the site adheres to the basic principles of cookie consent under the GDPR. This vigilance enhances the risk of GDPR penalties for non-compliant websites.
Noyb's strategy is particularly noteworthy as it poses a significant risk to websites that make it harder to reject cookies than to accept them. Although many such websites exist, the risk of fines has been comparatively low until now. But with active organizations like noyb identifying violations and filing complaints, there is a shift towards a wider enforcement of GDPR cookie consent requirements across the EU. This development makes it increasingly more risky for website owners to employ unlawful cookie banners.
GDPR Fines and Cookie Banners: Insights from the EDPB Report
The European Data Protection Board (EDPB) released a report on January 17, 2023, detailing the work of the Cookie Banner Taskforce. The report, which was a response to complaints received from noyb, outlines common practices that could potentially violate the ePrivacy Directive and the GDPR. The report identifies several types of practices related to cookie banners:
Type A Practice – “No Reject Button on the First Layer”: Cookie banners that contain a button to accept the storage of cookies and a button that allows the data subject to access further options, but without containing a button to reject the cookies, are not in line with the requirements for valid consent and thus constitute an infringement.
Type B Practice – “Pre-Ticked Boxes”: Pre-ticked boxes to opt-in do not lead to valid consent as referred to either in the GDPR or in Article 5(3) of the ePrivacy Directive.
Type C Practice – Deceptive “Link Design”: Some cookie banners contain a link, not a button, as an option to reject the deposit of cookies. The taskforce members agreed that in any case, there should be a clear indication on what the banner is about, on the purpose of the consent being sought, and on how to consent to cookies.
Type K Practice: “No Withdraw Icon”: Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on a visible and standardized place.
The findings of this report highlight the need for businesses to carefully review their cookie banner practices to ensure compliance with GDPR and ePrivacy regulations.
A note on the French Data Protection Act
The French Data Protection Act uniquely includes specific provisions about cookies and other trackers under Article 82, which has its roots in the ePrivacy Directive, a distinct EU directive that supplements the GDPR. While the GDPR does not provide explicit rules around cookies, it demands consent for the use of non-essential cookies, a requirement that is commonly enforced in the context of the ePrivacy Directive or similar national laws such as Article 82 of the French Data Protection Act.