Table of Contents
Should there be a “reject all cookies” button in the cookie banner?
Many people find the banners that ask for consent to the use of various cookies when visiting a website annoying. A “reject all cookies” button does not exist on many websites. Rather, you have to navigate through a settings menu and disable the placement of cookies there. In order to continue surfing quickly, users then often prefer to give their consent. Website operators take advantage of this “laziness” to achieve the highest possible consent rate.
The question is how to evaluate the absence of a “reject all cookies” button.
The fact is that the user’s consent is required for the setting of cookies that are not necessary (i.e., especially those for marketing analysis).
In its ruling of 01.10.2019 (Case C-673/17), the ECJ had confirmed a general consent requirement for all such cookies that are not absolutely necessary for the operation of a website and the provision of the page function for technical reasons.
In its decision of May 28, 2020 (I ZR 7/16 – Cookie consent II – BGH judgment Cookies), the German Federal Court of Justice (BGH) also clarified the exact requirements for consent to cookie storage.
Site operators who wish to continue setting non-technical cookies have since been required to implement effective consent solutions on their websites.
But is it now mandatory to have a button in the cookie banner that can be used to immediately reject the placement of all cookies?
The data protection supervisory authorities seem to agree here: Consent to cookies should be just as uncomplicated as their rejection.
The French data protection supervisory authority CNIL (Commission Nationale de l’Informatique et des LibertĂ©s), for example, has called on around 60 companies to adapt their practices with regard to the design of cookie banners and, in particular, to make rejecting cookies as easy as accepting them (press release here). This action is part of the measures to enforce the “Guidelines and Recommendations on the use of cookies and other tracking technologies” published by CNIL.
Similarly, the Italian data protection supervisory authority Garante expresses its opinion. In the Garante guidelines on cookies, it states:
"The mechanism to enable continued browsing without giving any consent will have to be as user-friendly and accessible as the one in place for giving one’s consent."
And further, "In order to ensure that users are not influenced or affected by design arrangements such as to lead them to prefer one option over the other, it is fundamental additionally to rely on commands and characters of the same size, emphasis and colours and that all such commands and characters are equally easy to view and use.”
On December 31, 2021, the CNIL fined Google a total of 150 million euros (90 million euros for Google LLC and 60 million euros for Google Ireland Limited) for not allowing users of google.fr and youtube.com to reject cookies as easily as accepting them.
Google has also been in trouble in Germany. The consumer association Verbraucherzentrale NRW brought an action against Google before the Berlin Regional Court, giving the following reasons: With tricks in the design of cookie banners, companies try to trick consumers into giving their consent in order to obtain, collect and process as much personal information as possible. It must be just as easy for consumers to reject cookies as to accept them. This is the only way to prevent the careless disclosure of data. On Google a user would only have to click once to agree to all cookies. However, anyone who decided to accept only necessary cookies would have to first call up another operating level within the cookie dialog. On this level, at least three different categories of cookies must be rejected individually. In this way, Google would violate standards from the Telecommunications Telemedia Data Protection Act (TTDSG) as well as EU law.
In the context of the complaint filed by the consumer association Verbraucherzentrale NRW, Google then announced that the practice in question would be abandoned and that a “reject all cookies” button would soon be available in cookie banners throughout Europe in order to comply with the instructions of the supervisory authorities. Google has meanwhile equipped its own cookie banners in the search engine on its German website, among others, with a “reject all cookies” button as a new Google standard.
In addition, private initiatives are also increasing the pressure on companies to revise their cookie banners. The data protection organization noyb (“none of your business”) filed a full 422 complaints with European supervisory authorities.
We therefore strongly recommend that cookie banners use a “reject all cookies” button analogous to the consent button. This is the only way to ensure that the consent of the website user is voluntary and thus compliant with data protection laws.
When revising your cookie banner, pay particular attention to the following points:
- Clearly inform your users about the purposes behind the use of cookies (e.g., playing out personalized advertising or sharing information with social networking platforms) as well as the identity of the operators using cookies.
- There should be no default settings. This ensures that users can make an active decision.
- Refusing to use cookies must be as easy as accepting them, that is, users should not be subjected to complex cookie refusal procedures.
- When designing the consent button, avoid weightings that are manipulative in nature (e.g., color-highlighted button for consent, light gray button for refusal).
- Users must be able to revoke their consent to the use of cookies at any time.
A good checklist on cookie banner requirements has been published by the Lower Saxony supervisory authority here (only available in German). Work through these and you should be on the safe side.
If you need any help, feel free to contact us.
Diploma-Lawyer (Univ.)Â Nora Lynn Rodiek, B.Sc., Senior Consultant & Legal Counsel at mip Consult GmbH, Studies: Law & Economics. Data Protection Officer (DEKRA), Data Protection Specialist (DEKRA), Company Health Manager (TĂśV).
