10 most common mistakes regarding cookie banners
We get to see a lot of cookie banners and are asked many questions about the right way of implementing the GDPR regulations regarding cookie banners. We have collected the 10 most common errors regarding cookie banners:
- Prior consent isn’t implemented
You visit a website, a cookie banner is shown and you get to make a choice what kind of cookies you would like the website to set on your device, great! But when you take a closer lo0k you see that some 50 cookies have already been set without even having made a choice. Cookies should be blocked, except necessary ones, until you have given your consent.
- Pre-ticked checkboxes
Again you are shown a lovely banner on a website. Unfortunately all category checkboxes are pre-checked. This is not allowed. You as a visitor should give explicit consent meaning you will have to check the checkboxes yourself
- Implied consent
This actually isn’t a cookie banner but merely a cookie notice. There is no actual choice thus making it implied consent. This can be legal when the website only uses necessary cookies and has an explanation of the cookies used. More often it’s just a notice and cookies of all types, including tracking-cookies are set on your device.
A cookie wall is a website’s self-made border that restricts access to it for users who don’t consent to all of the cookies and similar tracking technology present and ready to be activated on the domain. According to the Dutch, British and French DPA cookie walls are not allowed and it is considered a shady practice in the rest of Europe, and is very likely to be outlawed formally in the ePrivacy Regulation in 2020.
- Not able to change or withdraw your consent
Nice! You are visiting a website and cookies are blocked until you have consented. Hey, even the banner looks nice! But then after a while you want to change your consent, but there is no way you can change your consent, let alone withdraw it completely. The GDPR states that you should be allowed to change your consent just as easily as you have given it.
- No consent log
All consents must be logged as proof and all tracking of personal data, also by embedded third party services, must be documented, hereunder to which countries data is transmitted.
- Out-of-date cookie declaration
On an average more than 30% of all cookies on a websites changes monthly. You should inform your visitors about your cookies so a cookie declaration generated the 25th of May will most likely be out-of-date.
- Do you want to delete our cookies? Whatever man..do it yourself
So-called sites pointing you to various internet sources explaining you how to remove cookies from your browser. But you shouldn’t have to do that, the website is responsible for setting cookies on your device and thus have a mechanism to remove them as well.
- Toch niet helemaal geanonimiseerd die analytische cookies (doubleclick)
The Dutch DPA states you can use Google analytics cookies without a users given consent IF you make some changes in your Google Analytics account, making it a “privacy-friendly” implementation (e.g. ip-adresses are anonymized). Of course this is used by many websites to load analytical cookies without consent. But then you see another cookie loade on the site, doubleclick, and then you know something went wrong when implementing the privacy-friendly settings in Google Analytics.
- Banner? What banner?