October 2020 / Reading Time: 5 minutes

We’ve been living in an online world strangled by cookie banners for almost two and a half years now. After years of preparation,  the data protection reform officially started across the European Union in May 2018. Even from its first stage, this reform spread its implication worldwide once the General Data Protection Regulation (GDPR) became applicable and the entire world wide web plunged into a cookie banners madness.

The GDPR, the standard-bearer of the reform’s first stage and certainly the strongest data protection law the world has ever seen until now,  came into force on May 25th, 2018, replacing the previous data protection regulation that was valid for more than two decades across Europe. Since then, all websites that are using cookies need to seek express permission from their users to retrieve, store, track or transfer data about their browsing habits. Therefore, it was no longer enough for websites just to have a cookie policy section somewhere on their page and to inform their users of the policy’s existence.

Although everybody had two years to make the transition to the new rules (as the new regulation specifically mentioned its enforcement date when it was first released to the public in 2016), the GDPR took many people by surprise. So many that even now, almost thirty months later, some of them are still in denial. How else can we interpret the plethora of cookie banners disregarding the provisions of the GDPR, popping-out whenever we first visit a website? Or maybe, the people who made them pop, thought that, suddenly, “compliance” began to mean something else, like “if it’s not too much trouble for you” or “do it whenever you can find the time for it”? Well, no. It still means to conform to a rule.

Cookie consent banners first started to show up on virtually every website in the European Union starting mid 2002, as a result of the enforcement of the ePrivacy Directive, also called “the cookie law” among the Internet professionals or marketers. According to this cookie law, which is soon to be “upgraded” to a more modern and enforceable framework as part of the second stage of the reform, all websites had to present a cookie disclaimer to their users. Through this disclaimer, they were to inform the users about the fact that the website will set cookies on the user’s browser and, sequentially, get the user’s consent for setting the aforementioned cookies. Sounds familiar? Of course, it’s exactly how “the deniers” still act with their websites even now, more than a couple of years later after the implementation of the new regulation which imposed stricter data processing requirements.

If you randomly start browsing today through some never-visited-before websites, you’ll notice that all of them will welcome you with different types and sizes of cookie banners. Most of them will have nothing in common with the not-that-new-anymore GDPR’s set of rules. Here are a few examples:

As you can see, some of these banners don’t have an option for the website user to reject the cookies, while other banners come with pre-approved consent or pre-ticked boxes. On other websites, you will encounter a so-called “cookie wall”.

Then there are the cookie banners placed by people who never realised that the times when a box with a short use-of-cookies text, an “OK” button, and maybe a link to the website’s cookie policy, are long, long gone.

The most audacious cookie banners, however, are the ones that “assume” we are happy with all the cookies that will be stuffed on our throat, as long as we continue to browse that mighty website. You assume. Really, dear website owner? Well, let me be the one to tell you if no one else did it until now: your assumption is as wrong as two left shoes and it’s contrary to the whole essence of the GDPR.

None of these behaviours are GDPR or ePrivacy Directive compliant. The legislation specifically prohibits the display of any pre-approved consent or pre-checked categories on the cookie banners. It also presents the exceptions to this rule in a manner that leaves no room for interpretation. Europe’s top court made it quite clear, if there were still any doubts about it.

In some EU countries, the National Data Protection Authorities explicitly require that  whenever an “Accept” option is displayed, a “Reject” button with at least the same characteristics (size, position, visibility and so on) needs to be presented on the same layout of the website. If your website operates in Germany or the UK, you should pay attention to this requirement. On the other hand, if you operate in Ireland or France, you should know that if your website provides a global consent option, it must also display a global reject option to the users.

The “cookie wall” option is not really an option. The Dutch Data Protection Authority explained why, and you are free to read their decision if you understand Dutch. If this isn’t your strongest point, then it’s enough to remember that it’s not GDPR compliant to condition the access to your website by the users’ acceptance of tracking cookies or other ways to track and record users’ behaviour. The motivation behind this rule is that a website should be accessible to all users and not just to the ones who accept tracking cookies.

And don’t get me started on websites that “assume” the users’ consent or display only a simple information banner without even making the slightest attempt to obtain the users’ consent for collecting their data. Suffice to say that if those websites were people, their discernment would probably be revoked on the grounds of severe mental illness. You simply cannot have this kind of behaviour if you are in the fullness of your mental faculties!

There are, of course, many websites whose owners have understood the importance and the binding nature of the GDPR. Those people are the ones who show a minimum respect to their website’s users. Get it? This is the minimum! If you don’t do at least this, then what else can we expect from you?

These websites’ owners understood that there are also people who pay attention to these “little” things and don’t accept for one of their rights to be completely obliterated just because you are too indifferent, careless, lazy or incompetent. They understood that you only have one small window of time to make a first good impression. They understood that if people with a reasonable level of self-esteem access their website and are immediately greeted by a cookie banner which screams that the website’s owner doesn’t care in the slightest about the visitors rights, the chances for those people to continue to browse that website and, eventually, purchase a product or a service, are reduced significantly. 

To all those website owners out there who got it right, a big kudos! To the ones who didn’t, please get your head out of the sand and realise the day and age we live in! Browse around, pay attention to the good things made by others and stop being a part of the cookie banners madness!

How does the cookie banner on your website look like? Have you checked it recently? If not, please do it soon and remember that I’m always here for you if you need GDPR related guidance.

Thank you for your time!