Regulators Crack Down on Cookie Consent Designs That Manipulate Consumers
After winning their battle against Meta for forcing users to accept personalized ads, E.U. regulators are taking on a new challenge — cookie consent banners. Specifically, lawmakers are beginning to look at how cookie consent banners are designed and whether deliberate design tricks are being used to manipulate web users.
While U.S. regulators are standing on the sidelines in this latest debate, E.U. regulators are diving in head first and making progress in their steady march toward universal data privacy.
In a new report published by French and Austrian data protection agencies, E.U. officials make it clear that they believe a number of the design tactics commonly used in advertising today are deceptive — and potentially illegal. Specifically, regulators are looking at cookie consent banners that feature blatant design tricks created to manipulate web users into clicking on ads they may not otherwise.
“We’ve all been habituated to the consent pop-ups and walls giving us the options to opt-in or opt-out of our data being used for certain purposes. But the way in which these choices are offered and the way they may be exercised could be manipulated,” says Alex Krylov, a senior privacy advocate at DataGrail, which offers a data privacy management platform.
Cookie consent banners are notifications that display on websites and apps explicitly asking for users’ consent before deploying cookies. To comply with existing regulations, publishers must ask users for their consent before deploying cookies, rather than just informing users about cookies on their websites.
Cookies fall under the E.U’s ePrivacy Directive, and there can be varying applications of the E.U.’s rules depending on where a website is hosted. For example, regulators in certain E.U. member states allow news sites to offer users a choice between accepting ad tracking to gain free access to content or paying for a subscription to get access without tracking. The majority of regulating bodies agree that not having a “refuse all” button at the same level as an “accept all” button is a breach of existing privacy regulations.
While most U.S. brands and publishers are now in compliance with these rules, publishers are not necessarily happy about losing out on user data. This is especially true for brands and publishers that relied on data from web users to fuel targeted advertising practices.
Krylov says regulators are seeing an uptick in cookie consent banners that are intentionally designed in a way that manipulates web users into offering consent — an illegal practice that could land some publishers and brands in hot water.
Broadly speaking, Krylov says there are three kinds of consent issues: pestering, manipulating, and undermining.
Pestering is when a cookie banner continues to follow a user around a site until the user relents and accepts. In those cases, consent cannot truly be called freely given. Influencing involves so-called “dark patterns.” These are banner designs and choice mechanisms that nudge people to accept trackers. A common example is having a large “accept” button and a small “X” off to the side. Undermining happens behind the scenes. Setups can be customized to treat marketing and analytics trackers as “essential” when they’re actually not, which makes them exempt from consent practices. This kind of exemption stuffing is much harder for average users to detect.
“As for regulators, they have been and will continue to crack down,” Krylov says. “We see fresh fines around improper consent and out of Europe … We also have a clear warning from California Attorney General Rob Bonta [that] fresh opt-out compliance sweeps are in progress.”
The California Privacy Protection Agency directly addressed consent pop-ups and dark patterns in a new set of modified rules to the CCPA, which will be enforceable later this year.
In the meantime, Krylov says the real irony is that cookie consent banners are “low-hanging fruit.” It’s easy for regulators to police banners, links, and what happens behind the scenes using simple tools. But advertising data flows are more complex.
While there are bad actors and tricksters, the majority of consent malpractice in the U.S. today is due to a combination of genuine confusion and poor tool implementation.
“To be fair, we talk to many U.S. businesses struggling to reconcile their international opt-in/opt-out obligations. Advertising data flows are complex, the U.S. is behind the curve, and regulatory guidance continues to evolve,” Krylov says. “Tricksters are out there, for sure, but we see genuine confusion and, quite frankly, poor tool implementations driving consent malpractice.”