EU watchdogs have reached an agreement about how to deal certain dark patterns in cookie consent.

The European Union’s data protection regulators are pushing back against cookie consent banners that use obvious design tricks to trick web users into giving their data to behavioral advertising.

A taskforce made up of DPAs, France’s CNIL, and Austria’s authority, have spent many months analyzing cookie banners. In a report This week, they published a consensus on how to handle complaints about cookie consent dark patterns in certain jurisdictions. This development will make it more difficult for deceptive designs around the EU.

The taskforce was created in response to hundreds upon hundreds of strategic complaints. 2021 2022 The European Privacy Rights Group noyb This tool was developed by the non-profit to automate the analysis of website cookie banners and generate complaints. It is a clever trick that allows for a small organization to increase its strategic impact.

Cookies and other tracking technologies are covered by the EU’s ePrivacy Directive. As such, oversight of cookie banners is often decentralized to regulators in Member States. This allows for different application of the rules depending on where the site is located. Some Member States allow news websites to give users the option of accepting ad tracking in order to gain access (freely) or paying for a subscription that does not track — though such “cookie consent paywalls” are still controversial and unlikely to be accepted by every DPA.

The taskforce reported that there was a high degree of consensus. This suggests that there will be some harmonization of how DPAs enforce complaints about cookie consent banner design. For example, most authorities agree that a lack of a refuse all’ option at the same level of an ‘accept ALL’ button is a violation of ePrivacy. It seems likely that sites will be more aggressive in enforcing refuse tracking options.

The taskforce also agreed consent flows that include pre-checked options, (i.e. Another tactic to try and nudge agreement), consent flows that include pre-checked options (i.e. consent flows) are not valid consent. This should not surprise anyone considering Europe’s highest court has already clarified the need for active consent to track cookies. back in 2019.

In the five years since an EU law was passed to strengthen consent rules — the General Data Protection Regulation, (GDPR), DPAs have been paying greater attention to cookie consents. As complaints. how routinely the rules were being flouted Collapsed.

This has caused many to update and tighten their guidance on the issue, making it more difficult for sites to claim that the rules surrounding tracking consent are unclear.

Enforcements are increasing with some watchdogs being active such as France’s CNIL. Since 2020, a raft, including Amazon, Google Meta and Microsoft, have been fined for a variety cookies-related breaches. These include multiple enforcements (and possibly fines) related to dark patterns that were used to manipulate consent.

The CNIL’s enforcement activities have also included corrective orders, which have forced major design changes. Google has even changed the cookie banner it displays throughout the EU. last year Finally, a top-level “refuse all” option will be available. This is a huge win.

Given that the taskforce was primarily facilitated by the CNIL, it is possible that some of the CNIL’s conventions are being passed on to other DPAs.

In a press release to accompany the European Data Protection Board’s adoption of the taskforce’s report earlier this week and summarize the outcome, the French regulator writes: “This report notably states that the vast majority of authorities consider that the absence of any option for refusing/rejecting/not consenting cookies at the same level as the one provided for accepting their storage constitutes a breach of the legislation (Article 5(3) of the ePrivacy Directive). This was a position that the CNIL had taken in its guidelines as well as in the context of other sanctions.”

The taskforce also agreed on the necessity of a “accept all” button being accompanied by a “refuse all” one. They also agreed that web users need enough information to understand what cookies they consent to and how they can express their preferences.

The report states that cookies banners cannot be made in a manner that gives users the impression that they need to consent to access the website content.

They also agreed to some cookie designs. Not lead to valid consent — such as where the design is such “the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action”; or where “the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame”.

They reached a consensus to eliminate certain common dark cookie banner patterns.

However, visual tricks such as the use highlight colors that might draw the eye to an “accept all” button and make it difficult to see the refuse option more prominently were not considered by the taskforce. They decided that each case would require a detailed analysis of the appearance and the potential for design choices to be misleading. The taskforce also acknowledged that they don’t have the authority to set a banner standard for data controllers (in terms of colour and/or contrast).

They also agreed that buttons designed in such a way that the text is “unreadable to virtually all users” should be rejected. This could be “manifestly misleading”.

The taskforce also dealt with cookie consent hell, where sites might seek (also) to claim a legitimate interest in ads processing. Sometimes additional toggles are added alongside consent legal basis buttons. This is usually done in a secondary (or sub-menu) menu, and does not allow for a’refuse ALL’ option. Instead, users must click through settings to uncover this confusing mess (sometimes with the LI ones already checked).

The report states that “The integration this notion of legitimate interests for the subsequent processing “in the deeper layers” could be confusing for users who might believe they must refuse twice to have their personal information processed.”

The taskforce also discussed how regulators should decide whether any further processing based upon cookies is legal. This would include determining whether “the storage/gaining access to information through cookies and similar technologies is done within Article 5(3) ePrivacy Directive (and the national implementing Rules — any subsequent processing are done in accordance with the GDPR. 24”.

“The taskforce members viewed that Art. The GDPR 5 cannot be applied to subsequent processing if Art. The report also states that the TF members have confirmed that Article 5(3) cannot be used as a legal basis for placing/reading cookies.

Although they seem to have reserved judgment on how to address the latest scourge LI toggles appearing as cookie consent flow flows, they said they “agreed that they would resume discussions on these type of practice should [they encounter] concrete cases where further discussions would be necessary in order to ensure a consistent strategy.”

Sites that attempt to categorize non-essential data processing in a strictly necessary/essential manner, and thus bundle it into a category that does not require consent under the GDPR or ePrivacy, were also addressed by the working group. They agreed that it is difficult to determine which processing is strictly required.

“Taskforce member agreed that the assessment cookies to determine which cookies are essential presents practical difficulties, in particular because cookies’ features change frequently, which prevents establishment of a stable, reliable list of essential cookies.” They wrote. “The existence and responsibility of website owners to maintain such lists and provide them to competent authorities when requested, as well the need to determine the essentiality of the cookies, was discussed.

Another issue, withdrawing consent, was discussed. They agreed that website owners must provide “easily-accessible solutions” for users to withdraw their consent. This could include a small icon (hovering and permanently visible) or a link (“placed on an easily identifiable and standardized location”.

However, they refused to place a standard way for users of sites to withdraw their consent. They said they could only require site owners to implement it. Once consent has been obtained, “easily accessed solutions” will be provided.

“A case by case analysis of the solution presented to withdraw consent is always necessary.” This analysis will determine if the legal requirement that consent must be withheld as easily as possible.

Lions NFL Draft grade: Ennis Rakestraw, CB, Missouri 60th overall

MAGA mobilizes as Cohen testimony comes to a close

‘Five Nights at Freddy’s 2’ Sets December 2025 Release, ‘M3GAN 2.0’ and ‘Black Phone 2’ Also Get New Dates

I’ve Been a Vegetarian for 20 Years—This Is the Surprising Ingredient I Keep in My Fridge to Get Enough Protein

FULLPATH ANNOUNCES DATA INTEGRATION WITH COX AUTOMOTIVE VINSOLUTIONS, BUILDING STRONG DATA STRATEGIES FOR DEALERSHIPS

EU watchdogs have reached an agreement about how to deal certain dark patterns in cookie consent.