Table of Contents
Should there be a “reject all cookies” button in the cookie banner?
Many people find the banners that ask for consent to the use of various cookies when visiting a website annoying. A “reject all cookies” button does not exist on many websites. Rather, you have to navigate through a settings menu and disable the placement of cookies there. In order to continue surfing quickly, users then often prefer to give their consent. Website operators take advantage of this “laziness” to achieve the highest possible consent rate.
The question is how to evaluate the absence of a “reject all cookies” button.
The fact is that the user’s consent is required for the setting of cookies that are not necessary (i.e., especially those for marketing analysis).
In its ruling of 01.10.2019 (Case C-673/17), the ECJ had confirmed a general consent requirement for all such cookies that are not absolutely necessary for the operation of a website and the provision of the page function for technical reasons.
In its decision of May 28, 2020 (I ZR 7/16 – Cookie consent II – BGH judgment Cookies), the German Federal Court of Justice (BGH) also clarified the exact requirements for consent to cookie storage.
Site operators who wish to continue setting non-technical cookies have since been required to implement effective consent solutions on their websites.
But is it now mandatory to have a button in the cookie banner that can be used to immediately reject the placement of all cookies?
The data protection supervisory authorities seem to agree here: Consent to cookies should be just as uncomplicated as their rejection.
Similarly, the Italian data protection supervisory authority Garante expresses its opinion. In the Garante guidelines on cookies, it states:
On December 31, 2021, the CNIL fined Google a total of 150 million euros (90 million euros for Google LLC and 60 million euros for Google Ireland Limited) for not allowing users of google.fr and youtube.com to reject cookies as easily as accepting them.
Google has also been in trouble in Germany. The consumer association Verbraucherzentrale NRW brought an action against Google before the Berlin Regional Court, giving the following reasons: With tricks in the design of cookie banners, companies try to trick consumers into giving their consent in order to obtain, collect and process as much personal information as possible. It must be just as easy for consumers to reject cookies as to accept them. This is the only way to prevent the careless disclosure of data. On Google a user would only have to click once to agree to all cookies. However, anyone who decided to accept only necessary cookies would have to first call up another operating level within the cookie dialog. On this level, at least three different categories of cookies must be rejected individually. In this way, Google would violate standards from the Telecommunications Telemedia Data Protection Act (TTDSG) as well as EU law.
In the context of the complaint filed by the consumer association Verbraucherzentrale NRW, Google then announced that the practice in question would be abandoned and that a “reject all cookies” button would soon be available in cookie banners throughout Europe in order to comply with the instructions of the supervisory authorities. Google has meanwhile equipped its own cookie banners in the search engine on its German website, among others, with a “reject all cookies” button as a new Google standard.
In addition, private initiatives are also increasing the pressure on companies to revise their cookie banners. The data protection organization noyb (“none of your business”) filed a full 422 complaints with European supervisory authorities.
We therefore strongly recommend that cookie banners use a “reject all cookies” button analogous to the consent button. This is the only way to ensure that the consent of the website user is voluntary and thus compliant with data protection laws.
When revising your cookie banner, pay particular attention to the following points:
- There should be no default settings. This ensures that users can make an active decision.
- When designing the consent button, avoid weightings that are manipulative in nature (e.g., color-highlighted button for consent, light gray button for refusal).
A good checklist on cookie banner requirements has been published by the Lower Saxony supervisory authority here (only available in German). Work through these and you should be on the safe side.
If you need any help, feel free to contact us.
Diploma-Lawyer (Univ.) Nora Lynn Rodiek, B.Sc., Senior Consultant & Legal Counsel at mip Consult GmbH, Studies: Law & Economics. Data Protection Officer (DEKRA), Data Protection Specialist (DEKRA), Company Health Manager (TÜV).