Many different cookie banners could be found on the internet. Depending on the Cookie Banner provider, some of them are GDPR compliant, while others violate the GDPR. Some violations could be due to ignorance of the law, and others could be made on purpose. Violating the GDPR could lead to fines and penalties, independently of the cause of the violation. Read more about what are the most common GDPR Cookie Banner mistakes and how to avoid them.
The Most Common GDPR Cookie Banner Mistakes
No Cookie Banner at all
Even if you operate in the USA or any other country, the GDPR applies if the data subject or the data processor of your website is located in the EU. This means that even if your website offers products or services outside the EU, it could be accessed by the EU consumer, and if your website collects EU consumer's personal data without user consent- you will be violating the GDPR!
No "Reject" button on your homepage
According to the GDPR, rejecting cookies should be as easy as accepting them. The law was designed to give website users more control over their private information and provide users a possibility to reject access to their data if they disagree with how businesses will use the data.
Companies admit that only 3% of all users actually want to accept cookies, so companies try (tried) to use various tricks to ensure that over 90 percent of all users click the “accept” button.
If your web pages do not have the "reject" button, you're violating the GDPR consent requirement, which could lead to huge fines.
In 2021, Amazon was fined with €746 million fine – the biggest so far for the GDPR violations- for the reason that the website was tempting to force users to “agree” to cookies by default, and to make opting out of cookies was difficult.
On January 6, 2022, Google Ireland was fined with €90 million fine for the inappropriate Cookie Consent implementation procedures on YouTube. It was easy to accept cookies on YouTube, but harder to refuse them. Refusing cookies required a user to make several clicks, whereas accepting cookies required just one click.
In January 2022, Facebook and Google LLC both were also fined with €60 million fines for Cookie Consent violations- it was very easy to accept cookies but more difficult to refuse them.
- "Accept" cookies button;
- "Reject" cookies button;
- cookie settings button, so that users can manage which cookies to accept, and which to reject.
Using pre-checked cookie categories
A website user should give explicit consent which means that the user has to check the checkboxes on a cookie banner for allowing to use of different types of cookies. If your website uses pre-checked boxes for cookie categories, the user could either not see the box is checked or click the “Accept” button by mistake without reading all information regarding personal information usage before having a chance to change the settings.
Using Implied consent
Implied cookie consent, also called opt-in cookie consent, means to grant permission to track a website users' activity and collect personal information by default when visiting a website. Using implied cookie consent mode, cookies are deleted only if a user declines cookies.
Article 4 of the GDPR informs that cookie consent is valid only when it is:
- freely given
Website users must give explicit consent, clearly understanding the action is a signal of consent, having been provided the necessary information to make a purposeful choice.
If you make automatically accept cookies on scrolling your website, this does not mean granting cookie consent, and it is not GDPR compliant.
If you make your cookie banner accept cookies automatically after some time of using your website, this also does not mean granting cookie consent and is not GDPR compliant.
Using cookie walls
A cookie wall is a pseudo cookie banner that offers users just a straight choice between accepting all cookies or not accessing the site. If a user does not accept cookies or other tracking technologies ready to be activated on his browser, a cookie wall restricts access to the website.
In 2020, the European Data Protection Board revised its guidance and declared that cookie walls are a non-compliant way for websites to obtain cookie consent from website users.
Not receiving prior consent
Even if website users would give explicit cookie consent to use their private data, the website must receive consent BEFORE setting any cookies. All cookies, except necessary ones, should be blocked until you have received user consent.
No possibility to change or withdraw user consent
According to the GDPR, website users should have the possibility to change their consent as easily as they gave it, and at any time.
The GDPR also says any consent must cover data processing for a specific purpose. This could be done by asking for specific consent for different types of cookies. In such a way a user can also withdraw specific consent just for one type of cookie, and the website can still lawfully use other types of cookies to which users consented.
No Consent logs
All consents must be logged so that you can prove when and how somebody consented. All tracking of personal data must be documented as well, including embedded third-party services and the countries to which the data is being transmitted.
Out-of-date cookie declaration
Cookies on websites change often: new functionalities and features are added or removed, which in many cases affect what cookies are used by your website. Thus you must scan your website for cookies regularly and, accordingly, update your cookie declaration.
"Legitimate interest" for using cookies
The GDPR says that cookies must be only used for "legitimate interest". Some companies try to abuse it and use the term “legitimate interest" to place cookies on user's devices because they have "legitimate interests." However, it does not matter what you say – abusing the usage of cookies is a violation of the EU ePrivacy Directive, which could lead to fines.
According to the GDPR, you must obtain freely given, informed, and explicit cookie consent from users to use all non-essential cookies.
Misclassifying non-essential cookies as "essential"
There is no need to get cookie consent to use essential cookies, thus some companies try to lie about the type of cookies they put on user's devices, intentionally misclassifying non-essential cookies as "essential." This is a clear violation of the ePrivacy Directive's consent requirements. It's not worth cheating on users: if you're found violating the law on purpose, fines and penalties can be heavier that violating the law accidentally.
How to Avoid GDPR Cookie Banner Mistakes?
Not all cookie banners are the same- there are many features and settings of a banner, that could be implemented differently.
There is an example of a GDPR compliant cookie banner:
The cookie banner has the following features:
- Button to accept cookies and to reject cookies;
- It allows selecting just specific cookie types;
- It provides detailed information about the usage of cookies;
- It provides a link to the website's Cookies Policy;
- It gives a link to a list of all third parties with whom it shares data;
- It provides a button for the settings of cookies (“Show details” button);
- It uses explicit cookie consent.
In addition, the CookieScript Cookie Banner is:
- highly configurable, being one of the most configurable banners on the market, which allows adjusting to your website's design; and
- customized, allowing you to write a script and add additional features or functions, such as animations, custom, and adjustable designs, different sizes, etc.