No Trick or Treat but Digital Tricks and Traps:
About Dark Patterns in Cookie Banners.
Written by: Charlotte Bourguignon
With Halloween just around the corner, it’s quite suitable to think about other dark things, like dark patterns in marketing. The biggest GDPR (General Data Protection Regulation) fine to date, a €746 million sanction against Amazon, was issued for nudging their users to agree to cookies by default, and making the opt-out too difficult. This type of nudging is a prime example of a dark pattern.
In general, dark patterns are used to describe techniques that can influence consumer choice in the direction you want. These patterns provide a user interface that is designed to trick its users into taking actions that are not necessarily in their best interest, or that they wouldn’t have taken if their consent hadn’t been manipulated. Especially in Privacy, dark patterns are a problem as they are not only questionable in terms of ethicality, but they most definitely also go against GDPR.
What are cookies, if not edible?
Many websites use dark patterns to nudge their visitors into accepting cookies. It’s impossible to give valid GDPR consent to a cookie banner when the rejection button doesn’t exist or nearly invisible. This is a prime example of a dark pattern because it’s very straightforward, but this is not always the case. Dark patterns make use of human psychology to nudge people. They can be extremely effective, as most users aren’t even aware they’re being ‘guided.’
GDPR and Cookies
GDPR does not prohibit dark patterns explicitly, but it does demand consent to be given freely when it comes to storing and processing (personal) data. Recital 32 of the GDPR states that:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
If the user cannot freely accept or reject cookies, and the design intentionally tricks the user, it goes against the GDPR, and you could be in for a fine. Shockingly, a German study from 2019 showed that over 57,4% of popular websites in Europe nudge people into giving consent to their cookie banners. This shows that there’s still a lot of work to be done.
How to use cookie banners the correct way.
As Supervisory Authorities become stricter and people become more aware of the value of their personal data, marketeers are pushed to design clever ways to push people into accepting cookies. Whereas originality is fine, dark patterns are not. Here are some dos and don’ts when you design your cookie banner:
1. Have a cookie banner in the first place
2. Add a “Reject” button to the banner
We know, you want to gather as much data as possible from your website visitors, however, the data subject should be able to choose themselves if they want to share that data or not. Rather than omitting the reject-button, write clever copy that draws attention but still leaves room for the visitor to decide themselves if they want to accept the cookies or not. Earlier this year, Google received a whopping €150 million fine by the French SA (The CNIL) for making the rejection-process of their cookies unnecessarily confusing and difficult for their users. Needless to say, they now added a “reject all” button to their cookie banner.
3. Don’t use a deceptive link instead of a rejection button
This one is closely related to the previous point. Some websites add a “rejection” button in the form of a long link. For example, “click here to see your options” or even worse, a “settings” link. It’s not clear for users that they can reject the cookies via this link, which leads to automatically clicking on accept.
4. Be careful with manipulative colours
GDPR does not explicitly prohibit you from using colours on your buttons in cookie banners, however, tread carefully when they’re used intentionally to manipulate clicking behaviour. This psychological nudging technique has been deemed illegal in the past by the Danish SA (the Datatilsynet). In 2021, Datatilsynet found that the design of a Danish company’s cookie banner was deceiving its users through the use of bright colours.
5. Steer clear from preselected options
According to research in 2020, 46,5% of popular European websites use preselection to steer consumers to privacy-unfriendly settings in their cookie consent notices. Having to manually untick all boxes is burdensome for the user. By default, only necessary cookies should be ticked, the others should be optional for the visitor. In her case against the German lottery company Planet49, the CJEU (Court of Justice of the European Union) (Court of Justice of the European Union), ordered that pre-ticked boxes in cookie consent banners aren’t considered ‘consensual’.
In the end, installing a cookie banner on your website is not something to fear but something to be aware of. Don’t use dark patterns to steer people’s behaviour, but instead, use clear and attractive copy to get your visitor’s attention. You could question if all cookies that are used on your website, are really necessary to track our performance. As usual, less is more, especially when it comes to cookies (edible or not) 😉.
Hi! How can we help?
Questions, remarks, feedback or compliments? The fastest way to reach us is through the form below.