Recently, Google announced its plans to introduce a “Reject All” option within its famous cookie banner. The decision was appreciated by the Information Commissioners Office, by observing this to be a change that was long awaited to improve not only the user interaction, but also the compliance aspects. The ICO in its statement was also conscious of the fact that this is just a first step and further action on part of Google will be welcomed.
This article elaborates the rationale behind Google decision to introduce a “Reject All” button and also consider future mechanisms that Google intends on implementing with regards to cookies. We will also provide our recommendations on improving cooking banners and consent tools to be compliant with the existing ICO guidance and the best practises.
Google’s announcement was provoked by the CNIL’s decision dated 31 December 2021 imposing a 150 million euro fine on Google for violating the ePrivacy Directive, that is transposed into the French Data Protection Act. Through its decision dated 31 December 2021 the CNIL framed the principle mandating website owners to make refusing cookies as easy as accepting cookies. This would allow users to provide consent in an unambiguous and informed manner without any coercion.
Before April 2022, Google’s cookie banner had only two options, namely “I accept” and “personalise”. While an opportunity was provided to deny consent, but several clicks were needed to make it effective, coupled with reading through several pages. Therefore, the process design was found to be deceptive and did not allow consent to be denied or withdrawn easily when compared to providing consent, from the pure practical point of view.
While the announcement is public, a lot of users will may not see the new “Reject All” option as they are already signed in, this happens because Google only asks for consent once and saves the preferences while signing in. However, the new functionality can be accessible by changing their settings or clicking on the More options- link in their cookie configuration’s. As expected Google announced that the “Reject All” option would be first open to use for all the users located in France and will then be made available to users in the Europe, the United Kingdom and Switzerland.
Nevertheless, this decision is a relevant and welcome step towards the phasing out of the third party cookies. Web-browsers such as Apple’s Safari and Mozilla’s Firefox have already taken action and implemented similar techniques. Google has also announced 2 relevant decisions that are expected to occur by 2023; on the one hand, it will phase out its third party cookies practises and, on the other hand, a “Privacy Sandbox” project and “Topics API” initiatives will be implemented. Through these tools Googles’ web browser, Chrome, will only record the five most popular/ important topics that a user has searched for per week, and will be scheduled to be updated every week. The historical data will also be scheduled to be deleted automatically every three weeks.
Google’s plans are focused on storing this topic’s related information directly on the users device, so it will prevent any transmission of personal data to third party providers or, even, to Google itself. As a consequence, the users will be able to control their interactions with and visibly of advertisements by setting new or changing the existing topics or, even, turning this function off. The Privacy Sandbox and Topic API are in currently in the testing phase and users across Europe can opt in to participate in such tests.
Our Recommendations:
Considering the above we recommend the following:
- Carrying out a cookie audit to understand the classification of cookies amongst strictly necessary, functional, targeting and performance headings.
- The addition of a “Reject all-option” on the first layer of the cookie consent tool/ cookie banner In this sense, it is highly important to remember that consent should always follow the lines as set in the Regulation, which means, in practical terms, that in no case could be implied by the users navigation of the webpage (i.e., inaction or no decision being taken should not be construed as a consent). It is important to ensure that clear instructions on how consent can be managed through the cookie consent tool/ banner are provided.
- Review and removal of any and all pre-ticked check boxes within the cookie consent tool/ cookie banner.
- Checking the general aspects of the cookie banner (among others, its colour and positioning…), to ensure that that its prominently visible and accessible to the users. The use of cookie consent tools and banners should be made in a manner to encourage user interaction with the webpage rather than acting as a wall/ hinderance to access the webpage.
- If the website relies on cookies set through the browsers then the particular cookie type and description must be prominently identified within the cookie consent tool.
- Keeping a clear separation between the specific consent for cookies and the privacy notice.
- Ensuring that users are not “nudged” or encouraged to accept cookies by design choices such as green boxes or more prominence for acceptance.
Trilateral’s Data Governance and Cyber Risk Team have data protection specialists with extensive expertise and experience in implementing and monitoring cookie compliance to meet legislative requirements. Trilateral Research has also created a dedicated cookie compliance guide to help increase cookie compliance. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs.
