One-click cookie rejection as a way forward

Recently two of the biggest tech giants have been in the spotlight for violating cookie rules. What did they do wrong? How did their violations affect users? Let’s see if we can answer these two questions. In the beginning of 2022, the French data protection authority CNIL issued a decision fining Google and Facebook 150 million euros and 60 million euros respectively, as well as ordering them to comply with the violated cookie regulations within the next three months. Failure to comply would lead to fines of 100.000 euros per day. This isn’t the first time CNIL has fined Big Tech companies for not complying with regulations. Just to name a few, Amazon has been similarly fined for violating cookie regulations in 2020, and in 2020 CNIL made Google pay 50 million euros in fines for GDPR violations. During recent investigations, CNIL found that to accept cookies on Facebook and Google users only need to click one button. On the contrary, in order to reject cookies users must undergo a longer process, which requires multiple choices and clicks. This, in CNIL’s opinion, negatively affects freedom of consent, because it pushes users towards the easier option – simply accepting cookies. CNIL referred to the rules stating that accepting and rejecting cookies should have the same degree of simplicity and since the mechanisms for rejecting cookies on Google and Facebook are far more complex than accepting cookies both companies were violating the rules. Let’s look at how different websites go about organizing their cookie protocols. In the first example we are looking at Uber. When entering their website users are met with this banner:

Notice how it’s just as easy to accept cookies as it is to refuse them, just by clicking one of the available buttons. The same happens when we go visit Zoom’s website, users can choose with one click if they want to decline or to accept cookies, before they continue using the website.

Now let’s look at Facebook. Instantly, the outcome is completely different. The first thing users see is the banner below, which gives them the option to allow all cookies or choose more options.

If a user does choose the ‘More Options’ button they are met with the second banner where they can choose to allow only essential cookies or all selected cookies.

This process nudges users to accept all cookies because it’s a faster and an easier choice. Moreover, both banners highlight the options to accept cookies and confuse users by naming them differently. In the first banner it’s under the name ‘allow all cookies’, second banner puts it under the name of ‘allow selected cookies’. In the end, to effectively reject all unnecessary cookies, users have to go through 2 different banners, turn off the optional cookies and only then can they choose the option to allow only essential cookies. Refusing cookies on Google is arguably even more confusing and tiring for the users. First the user has to choose between ‘agreeing’ to allow all the cookies or ‘customizing’ their choice.

If the user chooses to customise their cookies they have to turn off every unnesesary cookie option separately.

And only then the user can confirm their choices and turn off the unnesessary cookies.

As you can see on the first two websites, when businesses follow the cookie regulations, rejecting cookies is as easy as accepting them. It doesn’t have to take more clicks or require a user to read additional information, which then allows them to make an informed decision without being pushed towards accepting all cookies. Meanwhile Facebook and Google make the process of rejecting unnecessary cookies significantly longer and harder than just clicking ‘accept all cookies’, which takes away from the user’s freedom of consent by heavily nudging them in favor of one option. The obligation to make cookie rejection equally easy does not come from thin air. Cookies present multiple security risks and it is important to give users the opportunity to protect themselves from being tracked cross-sites, which can happen with accepting all cookies. Websites have an obligation to allow users to choose their security over cookies, which is why one-click cookie rejection is so important. Depriving users from this is purely unethical and irresponsible. More attention should be payed by websites to their cookie procedures. It’s not only Google and Facebook whose cookie procedures are confusing and unfair, other companies have similar faulty approaches. Among those with flawed procedures are TikTok, Twitch, Snapchat, Spotify and Deliveroo. Websites should consider implementing one-click cookie rejection not only to comply with the regulations, but also to not deprive users from their freedom of consent and the right to protect their privacy.

Cnil.fr. (2022). Cookies: the CNIL fines GOOGLE a total of 150 million euros and FACEBOOK 60 million euros for non-compliance with French legislation | CNIL. Available at: https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance . Cnil.fr. (2020). Cookies: financial penalty of 35 million euros imposed on the company AMAZON EUROPE CORE | CNIL. Available at: https://www.cnil.fr/en/cookies-financial-penalty-35-million-euros-imposed-company-amazon-europe-core . Le Conseil d’État (2020). Conseil d’État, 19 juin 2020, Sanction infligée à Google par la CNIL. Conseil d’État. Available at: https://www.conseil-etat.fr/ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-19-juin-2020-sanction-infligee-a-google-par-la-cnil . Cnil.fr. (2022). Cookies: the CNIL fines GOOGLE a total of 150 million euros and FACEBOOK 60 million euros for non-compliance with French legislation | CNIL. Available at: https://www.cnil.fr/en/cookies-cnil-fines-google-total-150-million-euros-and-facebook-60-million-euros-non-compliance . DataGuidance. (2022). France: CNIL fines Google €150M for inadequately facilitating refusal of cookies. Available at: https://www.dataguidance.com/news/france-cnil-fines-google-150m-inadequately-facilitating .