What are “Dark Patterns” and how does Cookie Compliance prevent them?
In recent months, the French DPA (CNIL), as well as the European Center for Digital Rights (noyb) have
taken action against non-compliant banners by filing complaints and issuing fines to businesses that violate the core principles of GDPR through the use of Dark Patterns.
Cookie Compliance removes the following Dark Patterns (based on CNIL / noyb guidance):
Type A: Refusing consent should be as simple as providing consent
- EU privacy law requires that internet users be given “equal options” regarding cookies. Cookie banners without an initial “reject” or “reject all” option in the first layer violate the GDPR consent requirement
- Our approach: provides three (3) equal choices that represent different configurations of consent, with the “reject all” option selected by default in the first layer
Type B: No pre-ticked boxes on second layer.
- Using pre-ticked boxes to obtain cookie consent violates the GDPR, which expressly states in its recitals that pre-ticked boxes should not constitute consent.
- Our approach: configuration is set to ensure that all cookie category toggles are turned off by default, and dynamically toggles cookie categories based on the visitor’s selection in the first layer.
Type C: Deceptive Link Design
- Use of confusing hyperlinks to reject cookies, rather than buttons, “nudges” 90% of internet users into clicking an “agree” button. Noyb cites industry statistics indicating that only 3% of internet users actually want to accept cookies.
- Our approach: displays 3 equal buttons to represent different configurations of consent, and allows visitors to set granular permissions via a consent preferences link
Types D + E: Deceptive Colors & Contrasts
- Use of deceptive colors and contrasts for cookie “accept” and “reject” buttons violates GDPR consent requirements.
- Our approach: prevents site operators from changing the standard set of 3 colors used to represent the 3 Data Access Level choice buttons
Type H: Legitimate interest claimed.
- Any indication that a company relies on legitimate interests, rather than on consent, for its use of cookies violates EU privacy law.
- Our approach: requires the banner to be shown to all site visitors, regardless of whether they are located in a jurisdiction where affirmative opt-in consent is not required
Type I: Inaccurate classification of cookies.
- Some companies misclassify non-essential cookies as “essential” (also called “strictly necessary”) cookies to circumvent the ePrivacy Directive’s consent requirements.
- Our approach: prevents site operators from reclassifying popular analytics and marketing scripts as “essential”
Type K: Not as easy to withdraw as to give consent.
- Failing to include an easy and readily accessible option to update or revoke consent violates the GDPR rule that a visitor must be able to withdraw consent as easily as they can give it.
- Our approach: requires the placement of a floating icon that recalls the consent banner so that visitors can change or withdraw their consent