The organisation NOYB of Max Schrems, the well known lawyer and (data) privacy activist has recently announced to check Europe’s most visited websites for website compliance in terms of using proper cookie consent solutions. The GDPR has certain guidelines for implementing cookie consent the right way. NOYB will check the websites of a list of companies in Europe and will send them a report with the results of their compliance check.
In the following guide we cover NOYB’s focus points when it comes to implementing a GDPR compliant cookie consent solution, and of course we show you how you can do this with the CookieFirst consent management platform.
Rejection or deny option on first layer of consent
There are still companies that pretend to have the right cookie consent in place but don’t offer a reject cookies button or deny cookies button on the first layer of consent. With the CookieFirst CMP, when you set up a domain instance, this button is activated and present on the cookie banner by default. However, because our cookie consent solution is not only for GDPR but also for other types of cookie laws, we offer the option to hide it. In some parts of the world this is still allowed but not for users from Europe, who fall under the GDPR.
If you still have the reject button set as hidden, you can change it under your ‘Custom styling’ options, under ‘Advanced options’.
Link instead of Button to reject
According to the GDPR guidelines the ‘reject cookies’ button should be clearly visible for the user, so that it cannot be overlooked. So, turning it into a text link is not advisable if you want to make your website compliant with the NOYB and GDPR guidelines. Our consent manager creates the deny cookies option as a button by default, but we do offer to turn it into a text link for websites that fall under other jurisdictions.
If you still have the reject button set as hidden, you can change it under your ‘Custom styling’ options, under ‘Advanced options’. ’
Pre-ticked cookie / third party categories
It is also important to inform you about the preselection / pre-ticked third party categories. Under GDPR this is illegal. The GDPR requires an active opt-in by the user for these categories, not an opt-out. So when you want to make your website compliant to the NOYB standards and the GDPR, you need to have these ‘unticked’ or in our case ‘switched off’ by default.
Suppose you have these third party categories still preselected or pre-ticked, you can change that in your ‘Basic settings’ or your domain instance.
Deceptive Button Contrast, button color and button usage
In order to still get high opt-in rates for the third party categories, website owners play around with the button styling and configurations. From a marketer’s perspective it would be better to make the ‘Accept all button’ stand out more than the ‘Deny button’. However, according to the NOYB checklist and the GDPR guidelines this is a bad practice. The user should be given a clear choice in whether to Accept or Deny cookies.
Most of our clients use our banner styling features for adopting the colors of their company’s corporate identity in the appearance of the cookie consent banner and the preferences panel. So, it could be that the occurrence of deceptive button contrast did not happen intentionally. As a website admin, it might be good to check these styling settings again, and see if a better (higher) color contrast can be applied for a better usability towards the user.
As a CookieFirst user, you can change these button colours in your ‘Custom styling’ settings.
In order to check if the colors that you are using have enough contrast, you can use the tool below. The requirement of using enough contrast in the elements of your cookie banner is also necessary to make your website adapt to the WCAG, to make it more accessible for your users.
There are still companies that are trying to use the concept of ‘legitimate interest’ under false pretences in order to collect data without consent. Under legitimate interest a company could acquire personal data because it is absolutely necessary and there is no other way to reach a certain legitimate goal. However, this always needs to be explained by the company towards the user in a very detailed and clear manner. And, in many cases companies are not using legitimate interest in a correct way.
Our advice would be to always ask for consent when it comes to (personal) data transfer, and not hide behind ‘legitimate interest’.
False classification of third party cookies as ‘essential’ cookies
In order to claim opt-ins for ‘marketing’ purposes, in some cases website administrators wrongfully classify third party (tracking) scripts and services as ‘necessary’ or ‘essential’. With this setup, the third party scripts and advertising categories can always be set or executed, because they are categorized as necessary. This is illegal ofcourse and strictly against our principles. So, use the right and honest classification of cookies and third party scripts.
From the result of our cookie scan you can see the right classification of your cookies instantly.
It should be as easy to withdraw or change consent after giving consent
On the first layer of consent it should be as easy to consent to cookies as to deny cookies. But also, after the user has given consent, it should be also as easy to change or deny consent. The CookieFirst CMP offers a feature with which website owners activate a ‘floating button’ in the bottom left corner of the browser window. With this button the visitor can change consent or deny consent again. The button triggers our cookie preferences panel. On the panel, or second layer of consent, the user can change his or her consent settings. These actions are stored in a log for each user of your website, so that consent statuses of each user can be proven.
The settings for enabling the ‘floating button’ you can find in your ‘Basic settings’