EU decides: No More Cookie Consent Walls

EU flags

Many internet users are asked for consent to being tracked when they visit a website for the first time. This was introduced when the General Data Protection Regulation (GDPR) came into place. In many cases, you don’t really have the option to refuse. Webpages often make it impossible for you to see any of the content without giving consent. The EU has now published some new guidelines which should make cookie consent more beneficial to the user, and not to the website.

The main issue that the European Data Protection Board (EDPB) is dealing with is the fact that many websites have a built-in cookie consent wall. This means that there are two options given to you when you visit a website for the first time; either you consent to the cookies, or you can’t get onto the page. The EU states that in cases like these, users aren’t “presented with a genuine choice.” When a website decides to put “into place a script that will block content from being visible except for a request to accept cookies”, then that cannot be regarded as an actual choice.

The idea behind cookie consent is that people should have a choice in whether their data is collected. This collected data is then used for things like targeted advertising. The GDPR states what makes consent legally valid. The standards it has to meet are that consent must be clear and informed, specific, and freely given. And that last requirement is where the issue becomes clear.

People should have the option to go onto a webpage without having their data collected. Website developers need to figure out how to make their page available for them as well. They can’t just demand people to click ‘accept’ just to see the content of their website.

Another issue that is tackled by the EDPB is that scrolling, or interacting with a website, can no longer be regarded as consent. It might seem very obvious to you and me that this should not be regarded as such, but many websites don’t agree. They have their page set up in a way that when you scroll down on a site, or swipe on your phone or tablet, it is automatically regarded as you giving consent for cookies, since you decided to use it.

The EDPB states that this can never “satisfy the requirement of a clear and affirmative action,” and cannot be equal to clicking ‘agree’ on an actual consent form. Another problem that arises here is that if you can scroll to agree, you should also be able to disagree by scrolling. And obviously there is no way to make this distinction. So therefore it cannot be legal.

Dark Patterns

And of course, the above mentioned issues regarding cookie consent aren’t the only issues. There are many problems concerning so-called dark patterns. These dark patterns are interface choices that are deliberately made to be confusing, so that users simply click accept. Some consent forms use complicated language, some include pre-ticked boxes, and some don’t even explain what you’re agreeing with in the first place. And sadly, all of this is legal. The EDPB has not dealt with these dark patterns yet.

When Can We Expect Change?

It is very clear that the EU is aware that there are some issues that need to be taken care of. Why else would they update the guidelines? They have agreed that it is no longer legal to force consent. You also cannot hide the fact that you’re taking consent without asking for it.

The difficult thing is that the EU can only set up laws; it is up to the members to enforce them. And this could take some time.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.