German authority cracks down on cookie banners

Image of Carlo Cilento

Published on Feb 23, 2024 and edited on Apr 16, 2024 by Carlo Cilento

On February 9, the Bavaria data protection authority published a press release (German only) on the results of a large-scale, partly automated investigation on cookies. The authority suspects that at least 350 websites and 15 apps are violating EU law and placing cookies without consent.

While the investigation is only preliminary, there are some important aspects that are worth discussing.

  1. Why does this investigation matter?
  2. What was wrong with the cookie banners?
  3. Are deceptive cookie banners legal?
  4. Why do I still see a bunch of deceptive cookie banners?
  5. The bigger picture
  6. Final Thoughts

Why does this investigation matter?

The press release highlights two important points. First, the authority requires a “reject all” option at the first lever of the cookie banner- something the European Data Protection Board insists on as well. Second, the authority used automated tools for large-scale investigation and is looking to further explore their use in the future.

Let’s start from the cookie banners. What problems did the authority find, and how can you avoid them in your own website?

What was wrong with the cookie banners?

According to the authority, most cookie banners did not provide a "reject all" option in the first layer. This might seem like a minor point, but it istn't, and here's why.

Let me ask you something: when was the last time you found it difficult or confusing to accept cookies from a website? The answer is probably never. Rejecting cookies is usually annoying, confusing, and tedious. And yet, accepting them is easy as pie.

This is by design. EU law requires consent for cookies (with narrow carve-outs that don’t really apply to web analytics). Websites cannot track you without your consent, so they go out of their way to make the process of rejecting cookies as difficult and annoying as possible.

Typically, a “reject cookies” option is found at a deeper level of the cookie banner and is buried between other useless, confusing options. This turns the cookie banner into an annoying little puzzle: you either take the time to solve it, or accept all cookies and move on with your life. There are other tricks in the crappy cookie banner toolbox but hiding the “reject all” option in a second layer is the main one.

The trick works. Many users simply lack the digital literacy to work out the intentionally confusing language and layout of cookie banners. We are talking about millions of people who are systematically pushed around by non-compliant websites! Even better equipped users often give in to fatigue because playing the dumb cookie minigame for every single website is annoying and time-consuming.

Are deceptive cookie banners legal?

No. If I click on the “accept all” button because I lack the time/patience/digital literacy to figure out how to “solve” a deceptive cookie pop-up, I did not consent freely and my consent is, therefore, completely meaningless under the GDPR.

This is also the position of the European Data Protection Board (that is, the EU institution that brings privacy authorities together). A recent EDPB document insists that cookie pop-ups must make it easy to reject consent, by presenting a “reject all” option in the first layer. And while this is not an entirely unanimous position, it is the position of the vast majority of privacy watchdogs across Europe, and the Bavarian authority expressly refers to it in its press release.

In practical terms, this means that European authorities really, really dislike deceptive cookie banners. Not just burying the “reject” button in the second layer- the whole bag of tricks, too.

Why do I still see a bunch of deceptive cookie banners?

The Bavarian authority didn’t really say anything new. We have had these rules on cookie consent for decades now- they are older than the GDPR itself.

Enforcement is the issue. Many privacy authorities around Europe do good work but budget and staffing limitations prevent them from doing more. They are not in a position to go after every single website using a non-compliant cookie banner.

This is why the use of automated tools is important. Automating a preliminary phase of the work could allow authorities to enforce the law more effectively, and to threaten companies with large-scale investigations like the one launched in Bavaria.

This is the first time a European privacy authority uses software to automate a part of the fact-finding work, but the strategy is not completely new in the privacy space: privacy NGO noyb successfully used similar tools for large-scale litigation against cookie non-compliance, despite modest staffing and technical means.

Bottom line: automated tools are no substitute for proper funding, but they can be of great help nonetheless. They are a very interesting tool and we hope to see authorities take a page from Bavaria and explore their use.

(And let’s be clear: no one is going to get fined just because the computer says so! The authority only automated the “dumbest” part of the work. Fines can only come after human investigation of each case, and websites will be able to defend themselves in a proper legal procedure)

The bigger picture

All of this discussion about pop-ups design might seem like nitpicking, but it isn’t. Deceptive design in cookie banners is the symptom of a broader problem.

Companies like to track users, but users do not like to be tracked. 96% of iPhone users opted out of third-party data collection as soon as Apple gave them the option to do so. And by 2022, 35% of Internet users worldwide were using an ad blocker, despite ad-blocking not being a built-in feature of default browsers.

Because users don’t like being tracked, the ad tech industry needs to appeal to a fiction of consent while using every trick in the bag to extort consent. This fiction plays a crucial role in how the ad tech industry legitimizes the use of invasive and harmful tracking tools in an increasingly privacy-concerned world.

We see this strategy at play in other scenarios, too. Google claims that Android users somehow all consented to being tracked through their advertising IDs, despite the fact that they were never asked in the first place. And Meta claims that you are “free” to consent to being profiled- never mind that the alternative is paying €250 per year.

But the GDPR makes this fiction difficult to uphold. This is why regulators have been giving Meta hell over its business model for a while now, and why litigation against the misuse of Google Analytics and similar tracking tools is becoming increasingly successful at a European level (for instance, the recent and potentially game-changing victory against ad tech giant Criteo).

Final Thoughts

One step at a time, the momentum is finally swinging against online surveillance. Eluding the rules is still possible but is getting riskier by the day.

If you want to ensure that your cookie banner is compliant, check out our blog on the topic. But make no mistake: compliance cookie banner design drives opt-in rates down by a significant margin. That is why so many websites are violating the clear rules we have!

So, there is a fundamental trade-off for cookie-based analytics. You can have good opt-in rates, or compliance.

We built Simple Analytics so that you don’t have to choose. We give you all the insights you need on your website’s performance without using cookies and collecting a single bit of personal data. Our software is lightweight and easy to learn, with an intuitive UI and a handy AI assistant.

If this sounds good to you, feel free to give us a try!