Consent management – is it okay to “nudge” users?

What happened?
We have recently come across legal complaints concerning Consent Management Platforms (CMPs) which may also be of interest to our customers. In particular, the design of the consent user interface were criticised.
One business asked for consent for the use of tracking cookies and similar technologies on its website with an “Accept” button. By clicking on “More information”, users could reject the consent and further manage their consent settings.
According to the warning letter, this allegedly already violated the European Court of Justice’s rule on using pre-ticked boxes, as the box with “Accept” was already “pre-set”.
What is the conclusion?

The issue at the heart of this discussion are so-called “nudging” practices and their effect on the “voluntariness” of consent. “Nudging” describes undue influence on the user’s decision to provide or refuse consent. For example, the user can be guided to provide consent by the design of the options in the user interface and to disregard the equally valid alternatives.
In November 2020, the State Commissioner for Data Protection of Lower Saxony (LfD NI) published a white paper on “consent on websites in compliance with data protection”, according to which “nudging” can lead to the invalidity of the consent obtained, depending on the concrete design:
According to this document, website visitors must have a genuine choice when giving their consent via a CMP and must not be unduly influenced. For example, undue influence may be exerted if the “Agree” option is designed in a much more conspicuous way than the “Disagree” option by means of colour, font style and other design features, or if more clicks are required for the “Disagree” option than for the “Agree” option.
After the ECJ and the German Federal Court of Justice (BGH) ruled that pre-ticked boxes, which the user must uncheck in order to refuse, do not constitute consent, the Rostock Regional Court also ruled (ref. no. 3 O 762/19) that a “guiding” design of a cookie banner can also be regarded as inadmissible at the end of last year:
If consent for all cookies is pre-selected and activated, for example, with a green “Allow cookies” button, this was regarded equivalent to pre-ticked boxes. The consumer would regularly avoid the effort of de-selecting the options and therefore allow the use of cookies. This applies in any case if the user does not have a real option to refuse, for example because it is not recognisable as a visually equivalent button.
The extent to which so-called nudging is still permissible cannot be assessed conclusively. Another supreme court case regarding the presentation of a banner and the buttons as well as the associated assessment of “nudging” is still pending. It does not seem compelling that every such design can be equated with pre-ticked boxes.
Due to this lack of legal certainty, many websites make “creative” use the existing framework to achieve high consent rates.
Concerning currently used designs:
In some frequently used designs, for example, it could be criticised that the user does not make a free choice about which cookies to accept, but rather accepts all cookies without specific knowledge by clicking “OK”. This would be supported by the fact that the user is not offered a direct option to opt out in the first layer. The “OK” button is often highlighted compared to the option to access the second lawyer.
To reduce the associated risk, a third option could be offered in addition to “consent” and “settings”, with a button that, for example, allows “only necessary cookies” and allows the rejection of other cookies with just one click. The user should thus have a real choice at the first level between agreeing and rejecting),and the buttons should be equal in terms of colour and font styleand clear information should be included to explain the scope of consent.
On the other hand, it seems hardly conceivable that even further-reaching designs are necessary, in which consent must be given individually for each provider or cookie.
Overall, it should be borne in mind that the legal assessment of the design of cookie consent is still in flux and that there is currently no completely secure solution due to different interpretations of the applicable laws and jurisprudence.

Dr. Marian Klingebiel, UNVERZAGT Rechtsanwälte

Your contact to ePrivacy: