EU: Cookie banners and the use of reject all buttons – part two
Part one of this Insight article series on cookie banners looked at how the use of reject all buttons are regulated at an EU level, and across France, Spain, and Germany. In this Insight, OneTrust DataGuidance has consulted with legal experts to explore the use of reject all buttons across Belgium, Ireland, and the UK.
Tanguy Van Overstraeten and Manon Habets, from Linklaters LLP, provide an overview of how reject all buttons are regulated in Belgium.
On April 9, 2020, the Belgian data protection authority (DPA) released guidance and a set of frequently asked questions (FAQ) on cookies and other trackers (only available in French and in Dutch) (the Cookie Guidance) .
Accept all/reject all
In the Cookie Guidance, the Belgian DPA specified that to fulfill the requirement that consent be given for well-defined (specific) data processing operations, consent may not 'be given for the sole 'use' of cookies, without any further specification as to the data collected via these cookies or the purposes for which this data is collected. The GDPR does indeed require a more detailed choice than a simple 'all or nothing' but it does not require consent for each cookie individually'1.
It naturally follows from this statement that data subjects must have the choice of giving (or refusing) their consent for each type of cookie, or even, in a second layer of information, for each cookie individually.
The above statement could be interpreted as rejecting the possibility for controllers to provide website users with the choice to accept or reject all cookies at once.
On January 17, 2023, the European Data Protection Board (EDPB) adopted a report on the work undertaken by the Cookie Banner Taskforce, reflecting the common denominator agreed by the Member State DPAs in their interpretation of the applicable provisions of the ePrivacy Directive and the General Data Protection Regulation (GDPR) with a view to handling the complaints received by these authorities from None Of Your Business on cookies banners.
This report from the EDPB highlights a divergence of interpretation among the DPAs about the need to have a 'Reject All' button at the same level as the 'Accept All' button. A few DPAs did not necessarily agree that the 'Reject All' button was a requirement under the ePrivacy Directive.
'Most data protection authorities, including the [Belgian DPA], considered that this was a breach and that the user of a website should simultaneously have the option to accept or reject the placement/reading of cookies on their device'2.
From the above statement, it is clear that while the 'Reject All' button is not in itself a requirement, where a website operator intends to offer users the possibility to accept all cookies, it must at the same time and in a similar fashion also offer the option to reject all such cookies.
Main takeaways for businesses operating in Belgium
The best practice for website operators to comply with the GDPR requirement of 'specificity' as interpreted by the Belgian DPA is to offer users the following three options:
- accept all cookies;
- reject all cookies; and
- configure cookies to accept/reject cookies in a more granular manner (i.e. per cookies categories or per cookies individually).
Pursuant to Article 5(3) of the ePrivacy Directive, the insertion or reading of cookies is in principle only allowed provided that the user concerned has given their consent in accordance with the conditions provided in the GDPR.
- where cookies are strictly necessary to provide a service that was expressly requested by the user concerned (e.g., cookies that enable shopping online or ensure the security of a banking application); and
- where cookies are strictly necessary to send a communication via an electronic communications network (e.g., cookies that enable the necessary information to be displayed in encrypted exchanges).
The above situations cover the so-called 'functional cookies.'
Consent that must be collected for the insertion or reading of 'non-functional' cookies and other similar technologies must, in order to be valid, meet the following GDPR requirements:
- Consent must be demonstrated by a clear affirmative action, e.g., via a click or the activation of a slide button. Consent is therefore invalid if it is collected by means of a pre-ticked box or as a result of mere further browsing.
- Consent must be obtained prior to the insertion or reading of cookies, i.e., prior to the collection of personal data.
- Consent must be real, i.e., exercised without constraint, pressure, or external influence. This requirement excludes the use of so-called 'cookie walls,' i.e., blocking access to a website for those who do not consent to the installation of 'non-functional' cookies.
- Consent must be specific, i.e., it must be given for well-defined (specific) data processing operations. This means that: (i) consent is not valid where it is resulting from a purchase confirmation or the acceptance of general terms and conditions; and (ii) consent must be provided in a granular manner, per cookies or category of cookies.
- Consent may be withdrawn at any time and as easily as it was given.
Julie Austin and Conor Califf, from Mason Hayes & Curran LLP, look at the provisions for reject all buttons in Ireland.
Accept all/reject all
Unlike other jurisdictions in the EU, the DPC does not outright stipulate that a 'Reject All' option needs to be provided for in the first layer of a cookies banner. However, if an organization chooses not to provide a 'Reject All' option, it must provide an option for users to access more information in a 'second layer' on the types and purposes of the cookies being set and the third parties who will process information collected when those cookies are deployed.
The Guidance on Cookies outlines, among other things, the following requirements for the use of cookie banners in Ireland:
- No nudging: Organizations cannot design cookie banners in a manner that 'nudges' a user into accepting cookies over rejecting them. Therefore, if a button on the banner with an 'accept cookies' option is used, the organization must give equal prominence to an option that allows the user to 'reject' cookies, or to one which allows them to 'manage' cookies or 'get more information' (i.e., by cookie type and purpose) and which brings them to another layer of information in order to allow them to do that.
- No consent bundling: A cookie consent must meet the requirements of consent under the GDPR (i.e., it must be specific, informed, freely given, and capable of being withdrawn at any time). The Guidance on Cookies further advises that consent may not be 'bundled' for multiple purposes.
- No pre-checked boxes: The Guidance on Cookies makes clear that organizations are not permitted to use pre-checked boxes, sliders, or other tools set to 'ON' by default to signal a user's consent to the setting or use of non-strictly necessary cookies.
The primary concerns of the DPC (and design choices to avoid as a result) are outlined in more detail in the Cookies Report.
Main takeaways for businesses operating in Ireland
The Guidance on Cookies reiterates the ePrivacy Directive's requirement to ensure that the user must be provided with 'clear and comprehensive information' prior to capturing their consent. The Guidance on Cookies notes that, while there is no statutory definition of 'clear and comprehensive,' the standard of transparency provided must be in accordance with that of the standards set down in the GDPR. The Guidance on Cookies suggests that the following information should be provided in a second layer/cookies policy:
- Information on how to withdraw consent: The DPC makes clear that users must be offered the ability to withdraw their consent at a later stage at any time and that it must be as easy for a user to withdraw their consent as to give it. The Guidance on Cookies outlines that it must be made clear to users how they can withdraw their consent via the tools organizations have provided to manage consent.
- Information on the types and purposes of cookies set: Information about the types and purposes of the cookies being set should be provided (e.g., informing users that 'advertising' or 'analytics' cookies will be deployed).
- Information on third-party recipients: The Guidance on Cookies outlines that information on the third parties who will process information collected when cookies are deployed should be provided.
Mark Webber, US Managing Partner at Fieldfisher, looks at the use of reject all buttons in the UK.
In the UK, the legal requirements relating to cookies are contained in the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR (retained EU law based on the ePrivacy Directive and the GDPR).
Accept all/reject all
Specifically, within the guidance, the ICO warns that: 'predetermining non-essential cookies could be considered as 'nudge behavior' – i.e., you are influencing the user to take a particular course of action.'
Indeed, the ICO provides the example of 'a consent mechanism that emphasizes 'agree' or 'allow' over 'reject' or 'block',' and emphasizes that this would amount to a non-compliant approach 'as the online service is influencing users towards the 'accept' option.' This aligns with the EDPB Guidelines on Dark patterns in social media platform interfaces, which warns businesses against the use of 'hindering' which 'requires users to complete more steps, compared to the number of steps necessary for the activation of data invasive options.'
Similarly, the ICO lists a consent mechanism where 'the controls are located in a 'more information' section' as being non-compliant. In its example, the 'more information' is considerably less prominent than most 'manage my preferences' buttons but again, this aligns with the EDPB guidance against 'stirring' mechanisms (such as the 'use a visual style for information or data protection controls that nudge users away from data protection advantageous options to less restrictive and thus more invasive options').
Moreover, where services are likely to be accessed by a child, the ICO emphasizes that, in the UK, businesses also need to consider the UK Age Appropriate Design Code. This makes clear that 'You should not use nudge techniques to lead or encourage children to activate options that mean they give you more of their personal data or turn off privacy protections,' but rather should 'use pro-privacy nudges where appropriate.' This would imply a 'Reject All' option should be at least as prominent as the alternative.
Main takeaways for businesses operating in the UK
In April 2022, the ICO specifically issued a statement welcoming the approach taken by Google LLC regarding its 'Reject All' cookies buttons – which the ICO re-iterated was a change it had been seeking. As explained by the ICO, '[t]he new 'reject all' option gives consumers greater control and balance of choice over the tracking of their online activity […] we expect to see the industry following Google's lead to provide clearer choices for consumers.'
Although there have been periods of optimism in which it was hoped browser settings could be used for 'across the board' consents/refusals, in its guidance the ICO also specifies: 'You cannot assume that each visitor to your online service can configure their browser settings to correctly reflect their preferences in relation to the setting of cookies […] In future you may well be able to rely on the user's browser settings as part, or all, of the mechanism for satisfying yourself that you have consent to set cookies. For now, relying solely on browser settings will not be sufficient.'
Best practice in the UK, therefore, remains to have an equally prominent 'Reject All' button as opposed to a 'Manage Settings'/'Customize Your Preferences' button. As an example, the ICO website itself has an 'Accept All' cookies/'Reject All' cookies option with a separate 'On'/'Off' toggle for analytics cookies.
Comments provided by:
Mark Webber US Managing Partner
Fieldfisher, Palo Alto
1. Free translation – underlined by the author.
2. Free translation – underlined by the author.