Cookie Banner Design

Within TrueVault, you have a broad range of customization options for the design of your cookie consent banner (colors, buttons, etc.). There are a few compliance issues to be aware of, however, that may create problems with data protection authorities.

Note: Our default design for the cookie consent banner is meant to comply with GDPR and ePrivacy Directive rules and avoid these issues. While you have the freedom to deviate from our design, please understand that this can carry risks for your business.

Dark Patterns

A dark pattern is a UI design choice that has "the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice." In other words, the design itself nudges the user in a certain direction. This is often accomplished via color choices, button asymmetry, and/or process asymmetry (i.e., making one option easier or harder than the other).

U.S. privacy laws such as the CCPA expressly state that consent obtained via a dark pattern is not considered valid. The GDPR, which governs the standard for consent on cookie banners, is not as straightforward. It often speaks in broad terms, such as principles of "fairness" and "transparency," and states that consent must be "freely given, specific, informed and unambiguous." However, just because these terms are vague does not mean that can't be enforced.

Here are some common design choices that may be considered dark patterns.

Failure to Include a "Reject All" Option

Businesses are typically eager to provide an "Accept All" button on their cookie consent banners, but a little less enthusiastic about including a "Reject All" option, for obvious reasons.

In a 2023 report on this issue, the European Data Protection found that there was near-universal consensus among data protection authorities: If a consent banner offers an "Accept All" button, it must also provide a "Reject All" equivalent. Not only that, it must be available at the same point, meaning businesses should not make users click further into the interface before being able to reject all cookies.

For this very reason, Google (along with several other businesses) was fined 150 million euros in 2022.

Button Asymmetry

We've all experienced this: When one button is larger or more brightly colored, we are more likely to click on it. For this reason, many businesses prefer to make their "Accept All" buttons a different color, or perhaps make the "Reject All" option a text link that is far less prominent.

The EDPB was less clear about this practice in its report, in part because of the difficulties in making rules about color choices. For this reason, it recommended a case-by-case approach to determining whether color or contract choices have the effect of misleading consumers. The Information Commissioner's Office (the UK's data protection authority) released a position paper stating that choices such as "Accept All" and "Reject All" "must be presented with equal prominence."

Though the standard may not be crystal clear, businesses that use button asymmetry in their consent mechanisms are usually aware of their reason for doing so, and should know that it runs the risk of triggering enforcement actions.