EU: Cookie banners and the use of reject all buttons - part one
In part one of this insight series on cookie banners, OneTrust DataGuidance has consulted with legal experts from the EU, and France, Spain, and Germany on the Member State level, to delve into how the use of reject all buttons are regulated across different countries. Part two of this insight series looks at Belgium, Ireland, and the UK.
Laura Monhemius and Dimmen Smolders, from ICTRecht, provide an overview of how reject all buttons are regulated at the EU-level.
Accept all/reject all
One way to implement consent in the cookie banner is by providing an 'Accept All' button and a 'Reject All' button for non-essential cookies. These buttons allow users to either accept all cookies or reject non-essential cookies with one click, rather than having to individually accept or reject each cookie or each category of cookies. The requirement to offer a 'Reject All' button next to an 'Accept All' button follows indirectly from the consent requirements in the GDPR; consent must be as easy to revoke as it is to give. Hence, users must be able to provide or deny consent to non-essential cookies in an equal fashion. Moreover, providing clear 'accept' and 'reject' options follows from the GDPR's fairness principle as the user is offered a clear, equal, and actual choice. Additionally, a 'Reject All' button is a user-friendly option for users who do not want to accept cookies. It helps to simplify the consent process for website owners and users.
Main takeaways for businesses operating in the EU
While the 'Reject All' option follows indirectly from the GDPR, it has already been enforced, for example by the French data protection authority (CNIL). For the cookie banner, the main requirement is that users must give specific and informed consent before non-essential cookies are used. It is therefore up to the website owner to determine which method to use to request consent from users and how this consent process is carried out. Regardless of the method chosen, user consent must always be voluntary, specific, and informed and clear information must be provided about which cookies are used and what they are used for.
Charlotte Gerrish, from Gerrish Legal, discusses the regulation on the use of reject all buttons in France.
France has integrated provisions of both the GDPR and the ePrivacy Directive into its national law through Article 82 of the French Data Protection Act. As the designated regulatory authority responsible for enforcing the law, CNIL is responsible for ensuring that organisations operating in France comply with these data protection regulations. To this end, CNIL has issued guidelines on cookie compliance in 2020 (only available in French here), which were further supplemented by a recommendation in 2021 (only available in French here).
Accept all/reject all
In the context of cookie settings, a 'reject all' button enables users to decline or refuse all cookies in a single action. In this regard, CNIL considers that users must have the possibility to refuse the operations with the same degree of simplicity as to consent to them. The mechanism to express a refusal must be accessible on the same screen and with the same ease. For instance, users may have a choice between two buttons: accept all or reject all cookies; or 'consent' or 'do not consent'.
However, the refusal to consent to cookies could also be manifested by simply closing the window for the collection of consent or by the absence of interaction with it for a certain period of time - nonetheless, this possibility must be properly communicated to users through the window.
Main takeaways for businesses operating in France
First, companies must ensure that consent is unambiguous. It must result from positive action from individuals who have been informed of the consequences of their choice. For instance, checkboxes (unchecked by default) or sliders (deactivated by default) are appropriate, as long as the mechanism is easily understandable.
Second, companies must ensure that consent is freely given: It can only be valid if users are able to exercise their choice freely. Thus, it is recommended that users be asked for their consent independently and specifically for each specific purpose. However, cookie walls are not prohibited provided that the information provided to users clearly indicate each purpose. For instance, buttons such as 'personalize my choices' or 'decide by purpose' are appropriate.
In essence, cookies play an important role in personalized online browsing, yet their use has raised privacy concerns and culminated in regulations in France, and to ensure compliance, CNIL issued their guidelines and recommendations for businesses. Obtaining unambiguous and freely given consent, avoiding misleading design practices, and protecting user privacy are critical components of cookie use. By following these guidelines, companies can build trust with their customers and safeguard their data.
Thorsten Ihler and Melanie Ludolph, from Fieldfisher, look at the use of reject all buttons in Germany.
The setting and reading of cookies originally falls within the scope of the ePrivacy Directive. With effect from 1 December 2021, Article 5(3) of the ePrivacy Directive was transposed into German law by Section 25 of the new Telecommunications Telemedia Data Protection Act (TTDSG). It applies when using any technologies by means of which information is stored on or read from terminal equipment, irrespective of whether such information qualifies as personal data.
Accept all/reject all
Section 25(1)(1) of the TTDSG stipulates the principle that the storage of information in the user's terminal equipment or access to such information already information that is already stored in the terminal equipment is only permissible with the consent of the end user. Consent, especially on websites, is regulated by the display of consent banners. German data protection supervisory authorities hold strict views regarding the design of said consent banners. Notably, they effectively expect a reject-all button on the first layer of the banner.
The Conference of the Independent Data Protection Supervisory Authorities of Germany (DSK) does not clearly mention this point in its Guidance of the supervisory authorities for telemedia providers (only available in German here), but sets out the following four conditions from which such an obligation can be identified:
- the option to reject must be clearly recognizable, easily perceivable, and unambiguous as an alternative to consent;
- the option not to give consent should also be displayed as equivalent in terms of size, color, contrast, and font;
- the alternative to consent must be perceived as such by users (it should not be hidden somewhere outside the banner or in the running text); and
- the label should be simple, whereas a 'Set or decline' button that leads to another level of the banner would be insufficient.
Besides this view harmonized across German supervisory authorities, the State Commissioner for Data Protection of Lower Saxony has published a handout on data protection-compliant consents on websites (only available in German here). The paper indicates that the authority expects a simple rejection option for cookies. The authority criticizes in the paper that the process of rejection is unnecessarily complicated in many cases. Although consent can be given on the first level of the consent tool by clicking on the corresponding button, there is no equivalent button on the first level to reject consent, rendering it more laborious to reject than to consent.
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg has published FAQs on cookies and tracking on its website (only available in German here). The supervisory authority presents typical mistakes that telemedia providers make in practice. If an 'accept all' button is offered, but not a 'reject all' button at the same level of the consent banner, which includes refused consents, this constitutes a violation of Article 5(1)(a) of the GDPR. Refusal and objection must be as simple as the declaration of consent.
Main takeaways for businesses operating in Germany
So far, there is no published decision on the question of the necessity of a reject all button. In addition, to date, there is no known fine imposed by a supervisory authority for the unlawful design of cookie banners. However, the risk is increasing for companies, as complaints to website operators and supervisory authorities are piling up due to large numbers of complaints brought by consumer organizations and individuals. If targeted by a complaint, at the very least this will have cost implications to deal with the matter.
Javier Aparicio Salom, Partner at finReg360, outlines the provisions regarding the use of reject all buttons in Spain.
The first release of the guide was intended to reconcile the rules of the Spanish laws transposing the Data Protection Directive and the Electronic Commerce Directive. Since its first adoption, the guide has undergone several revisions to adapt it to the criteria expressed by the Article 29 Working Party (Art. 29 WP), the principles of the GDPR, the guidelines on consent approved by the European Data Protection Committee, the rulings from the European Court of Justice (ECJ), and the criteria raised by the Member States in the discussions on the draft of the future ePrivacy Regulation.
Accept all/reject all
The guide clarifies that consent must always be granted prior to the installation of the cookie and by means of a clear affirmative action (such as an accept button). It cannot be inferred from acts such as continuing to display the screen, scrolling down the information, or continuing to browse the website.
In this regard, the guide clarifies that consent can be requested by means of buttons or links and proposes three options:
- option 1 - one button to 'accept' all cookies, another one to 'reject' them, and one link that provides access to where the user can opt singularly on the installation of each cookie;
- option 2 - one button to 'accept' all cookies and one link that provides access to where the user can reject them all or opt singularly on the installation of each cookie; or
- option 3 - one button to 'accept' all cookies and another one that provides access to where the user can reject them all or opt singularly on the installation of each cookie.
In any case, if the cookie makes it possible to obtain data of special categories, it is necessary to include a specific consent box, in compliance with Article 9 of the GDPR.
Finally, the guide clarifies that the configuration of the browser of the device to accept and reject cookies is perfectly valid if it complies with Article 13 of the GDPR. However, it cannot be the single option. It is necessary to include a space on the website where the concerned party can grant, manage, revoke, and refuse consent.
Main takeaways for businesses operating in Spain
The guide follows the indications defined in 2012 by the Article 29 WP and allows the installation of cookies without the need to inform on its use or to obtain consent when are aimed at:
- enabling only communication between the user's equipment and the network; and
- strictly providing the service expressly requested by the user.
In all other cases, it is mandatory to comply with the two legal obligations imposed by the regulations prior to installing a cookie: the duty of transparency and the obligation to obtain consent, in accordance with the principles set out in the guide.
The guide establishes that the interested party must be informed about what the cookies installed are and are used for, the indication of the entity that manages them, their specific purpose, and their lifetime. It is also necessary to clearly inform about the actions to be taken to give, refuse, and revoke consent.
For websites targeted at minors, the guide clarifies that the age verification procedures can be adapted to the level of the risk involved. In this regard, it suggests that, for purely analytical cookies, an indication should be inserted for the user to inform their parents or guardians that they are going to accept the cookies. In the case of cookies that allow, for example, to modify browsing, the guide proposes that additional information be requested, such as the parent's or guardian's year of birth. Finally, for the installation of behavioral advertising cookies, the guide proposes requesting the parent's email address to verify their authorization.
Comments provided by:
Charlotte Gerrish Founder
Gerrish Legal, Paris
Javier Aparicio Salom Partner