Are We Really Choosing?
Open any modern website, and you're likely to see a pop-up at the bottom or top of the screen: “By continuing to use this website, you consent to cookies.” These banners often lack a “Reject” button or detailed settings, and more troublingly, cookies are sometimes dropped onto your device even before you engage with the message. This has become a widespread practice across the internet—but it raises a serious question: Is this actually valid consent under the GDPR or other global data protection frameworks?
For many users, cookie banners are just another design element to be clicked away. But under data protection laws like the GDPR, they are much more than that—they’re legal consent mechanisms. Unfortunately, the way many websites implement them today may be falling short of the law.
What the GDPR Really Says About Cookie Consent
The General Data Protection Regulation (GDPR), read along with the ePrivacy Directive, sets out clear and strict rules for valid consent regarding the use of cookies and other tracking technologies. Consent under the GDPR must be freely given, specific, informed, and unambiguous, and it must be provided through a clear affirmative action. In other words, users must actively choose to allow cookies, and that choice must be meaningful.
The GDPR also explicitly states that pre-ticked boxes, passive acceptance, or implied consent—like continuing to browse—do not meet the threshold of lawful consent. Any use of cookies that are not strictly necessary for the functioning of a site must be paused until proper consent is obtained. This includes analytics, personalization, marketing, or third-party tracking cookies.
Common Problems in Cookie Consent Practices
Despite the law, many websites implement cookie banners that are clearly non-compliant. One of the most frequent issues is the absence of a “Reject All” button. These banners usually display only “Accept” or “Okay,” with the option to refuse buried under several clicks or not offered at all. This undermines the user’s ability to make a real choice, turning the act of consent into a forced agreement.
Another issue is the lack of granular choices. GDPR requires that users be able to selectively allow or reject different types of cookies—for instance, accepting necessary cookies while rejecting advertising trackers. Yet many websites offer a binary “accept or leave” model, ignoring the principle of specificity.
Worse still are dark patterns, where design is deliberately used to manipulate behavior. A common example is highlighting the “Accept All” button in a bold color while making the “Manage Preferences” or “Settings” button faint, grey, or hard to find. These tactics compromise the freedom of consent by nudging users toward a default choice.
Finally, a major legal violation occurs when websites drop cookies before consent is even given. This is in clear breach of both GDPR and ePrivacy Directive requirements and effectively nullifies any subsequent consent as the data collection has already begun.
Who’s Doing It Right (and Wrong)
There are, however, websites that get it right. A good example is the website of IAB Europe. It provides a well-structured banner that allows users to “Accept All,” “Reject All,” or “Customize Settings.” It clearly explains the categories of cookies used, such as essential, performance, and targeting, and only sets cookies after the user has made an active choice. This model is transparent, user-centric, and compliant with the law.
On the other hand, many news websites continue to follow poor practices. They often use banners that offer only an “Accept” button, do not explain what data is being collected, and begin tracking as soon as the page loads. In such cases, the banner becomes a mere formality, failing the test of informed and voluntary consent.
What Should a Compliant Cookie Banner Look Like?
An ideal cookie banner should be simple, honest, and respectful of user autonomy. It should display three clear options upfront: “Accept All,” “Reject All,” and “Manage Preferences.” The language should be easy to understand, avoiding legal jargon and manipulative design. Users should also be allowed to change their consent preferences at any time, and websites should keep records of what was consented to, when, and for what purpose.
Such a banner might say: “We use cookies to enhance your browsing experience. You can choose which cookies you want to allow.” This not only builds trust but also meets legal expectations by emphasizing user control and transparency.
Design Element or Legal Minefield?
Cookie banners should not be treated as simple UI elements. They are compliance mechanisms with legal and ethical implications. Poor implementation can result in hefty fines, regulatory scrutiny, and loss of user trust. Companies like Google and Meta have already faced multi-million-euro penalties for cookie consent violations in the EU.
To ensure that consent is meaningful, cookie banners must be thoughtfully designed and legally compliant. They should empower users rather than trick them. Only then can organizations build genuine trust—and stay on the right side of the law.
References
- GDPR Article 7 – Conditions for Consent
- EDPB Guidelines on Consent
- CNIL’s Cookie Consent Rules
