Currently there are two trends on cookie consent banner design – either (1) the “Accept All” and “Reject All” options are shown in the first layer of a cookie consent management solution, or (2) only the “Accept All” option is shown in the first layer together with a link to the second layer of the cookie consent management solution where the user can reject to the use of non-essential cookies. There is more clarity on the views of the UK data protection authority on whether a “Reject All” option in the first layer of a cookie consent management solution is required.
The ICO Position
On 9 August 2023, the UK Information Commissioner’s Office (“ICO”) clarified its position on the “Reject All” button in cookie banners. The ICO published a Joint Position Paper on Harmful Design in Digital Markets: How Online Choice Architecture Practices Can Undermine Consumer Choice and Control Over Personal Information (“Joint Position Paper”) together with the UK Competition & Markets Authority. Its existing guidance on cookies did not expressly require a “Reject All” button and focuses on preventing nudging towards the “Accept” button through formatting and positioning.
In the Joint Position Paper, the ICO discusses harmful nudge and sludge techniques in more detail, where a user is offered an “Accept All” button but is required to go through several steps before refusing consent to non-essential cookies. The ICO states that,
“Users must be able to refuse non-essential cookies with the same ease as they can accept them, without having to take any additional steps. Where the user is presented with an option that allows them to skip more granular settings then the ICO expects, as a minimum, an equivalent option allowing them to refuse as well (e.g., a “Reject all” option as well as an “Accept all”). These must be presented with equal prominence; the user must understand what they mean and must not be nudged towards one over the other. This is more likely be compliant with data protection law, as firms will be better placed to demonstrate that the user has a genuine free choice.“
The “Reject All” button must, thus, be presented at the same layer as “Accept All” button. The harmful nudge and sludge technique discourages users from exercising control over their personal data and may not meet the definition of consent under Article 4(11) UK GDPR, which states consent must be freely given, informed, specific, and unambiguous. This in turn may lead to an infringement of the lawfulness principle in Article 5(1)(a) UK GDPR, where an invalid consent is obtained. Regulation 6 of Privacy and Electronic Communications Regulations (2003) (“PECR”) requires that GDPR-standard consent for cookies. Thus, failure to obtain consent that meets the GDPR requirements may also contravene Regulation 6 PECR. The ICO clarifies that not all design practices as described above will automatically infringe these provisions, but the above PECR and GDPR provisions are most commonly at risk of being infringed when used “to distort or steer consumer choices in harmful ways”.
The EU Position
There is no clear harmonized approached by the EU data protection authorities on the issue of whether a “Reject All” option is required in the first layer of a cookie consent management solution. For example, the following views have been published:
- The European Data Protection Board did not touch on the question if a “Reject All” button is required in the first layer in its Cookie Banner Taskforce report. It only commented that there is an infringement if there is no “Reject All” button on any layer.
- The German data protection authorities do not require a “Reject All” button in the first layer. A “Reject All” button is not required in the first layer, if the consent button is not displayed in the first layer or the user can interact with the website without having to interact with the cookie consent banner. The deciding factor is if declining consent requires more effort than giving consent (“Additional Effort Principle”). The Additional Effort Principle was also applied by the Regional Court Munich I in its November 29, 2022 judgment (docket no.: 33 O 14766/1) when reviewing the design of a cookie consent banner.
- The Irish data protection authority stated that it may be sufficient if there was a consent button in the first layer with a link to further, more detailed information in the second layer.
- The Austrian and Spanish data protection authorities explicitly require a “Reject All” button in the first layer.
There are arguments against requiring a “Reject All” button in the first layer of a cookie consent management solution. This requirement is not explicitly included in the GDPR or the EU ePrivacy Directive. Art. 7 GDPR only requires that withdrawing consent must be as easy as providing consent. It does not state that declining consent must be as easy as consenting.
However, the trend of the published views of the data protection authorities is towards including a “Reject All” button also in the first layer. Organizations should thus review compliance of their cookie consent solutions.