Make the most out of your campaigns while respecting user privacy.

Are you doing it right? Common mistakes and pitfalls of GDPR cookie consent modals

Since the enforcement of the General Data Protection Regulation (GDPR) in 2018, websites have been scrambling to comply with its stringent requirements on user data privacy

image description
Author: Vjeran

Few years ago we were taking analytical systems for granted. Me first, guilty as charged. Most common one was, and still is, Google Analytics, because of its free price tag. It was used as a statistical and analytical tool showing high amount of data. For certain businesses it even had a central role.

In a new privacy-centric Internet, due privacy concerns, this data is now partial. Google Analytics, under certain circumstances, is filling these gaps with so called "modelled data". But still it’s not the data we used to see before.

Some of us initially felt crippled by all this. There was and still is an urge to collect all the data like we used to, whether for reporting purposes or business or marketing analysis or for advertising systems to work more efficiently.

With an attempt to gather all possible data, business often try to avoid regulation mostly by using tactics to mislead visitors. We’ve seen it more often than not.

This is the reason EU EPDB (European Data Protection Board) formed a Cookie Banner Taskforce which pinpointed some of the most common mistakes and released a document in January 2023 listing them.

Let’s dive in:

No rejection button on the first layer

This is one of the most common. We see options such as [Accept all] and [Settings] where often there is not reject button, not even under settings. Users have to dig through shady and perplexing settings and options, unticking checkboxes and then save those settings. That's just plain wrong. The right way to do it is to show rejection button on the first screen or view of the cookie banner. This button on first view is mandatory.

Pre-ticked boxes

Pre-ticking boxes is wrong practice. Initial assumption must be that users don’t want to consent to 3rd party cookies and they have to opt-in freely and willingly.

Deceptive link design

Sometimes cookie banner reject option leads to another page or they give users an impression they cannot use the website until they consent. This is so wrong on so many levels as regulation says that opt-in consent should not be conditioned in any way.

Deceptive button colours and contrast

This one is very common. We see [Accept all] button on green background, with high contrast letters, while [Decline] button has red background or is greyed-out, or doesnt look like button at all. While some DPOs say that colours can assist for people with dyslexia (and it is a valid point that we would like EPDB to take into consideration) it is best practice to follow regulation and have all buttons same size and same design.

Legitimate interest claimed

Not so uncommon, businesses tend to claim 3rd party services, usually marketing automation systems, support or sales chats, CRM’s and 3rd party forms (usually in iframe element) as legitimate interest. Providers of such systems usually convince clients it’s OK as it is their legitimate interest, but when asked for an official statement which draws responsibility, those providers decline it or say to consult their DPO. Remember, this is plain wrong and against GDPR. You are the one who is responsible, not them.

Inaccurately classified essential cookies

This one is similar to “Legitimate interest claimed”. Businesses tend to mark non-essential cookies as essential, thus making users unable to opt-out.

No withdrawal mechanism

Sometimes businesses don’t have withdrawl mechanism or have it buried somewhere deep inside privacy policy. According to GDPR, withdrawal mechanism has to be clearly visible on every page of the website.

Application of the One-Stop-Shop

Just because you can visit a website from any country in Europe, it doesn’t mean the OSS rule automatically applies to same website in other countries. The rule could apply, but it depends on the situation. This usually relates to larger multinational businesses which are rarely non-compliant.

Bonus tip: We’ve seen a penalty where business did offer [Accept all] and [Reject all] buttons, but didn’t offer cookie options for different types of cookies. Although number of users that partialy select cookies by type is next to none, according to privacy regulation, users have to have this option.

In a nutshell, it always comes down to DPO (Data Protection Officer) or management decision, but offering straight-forward choice is a good business practice as it respects user’s choices. If you plan your business on the long run, it's highly advisable to follow these rules. It's not just about hefty fine, it’s also about brand perception and relation to its users and customers.

Privacy rules and regulations go far beyond cookie consent. There are mechanisms that allow you to collect cookieless pings, making your campaigns more efficient. We are the experts in this field and can help you maximize your advertising budget and efficiency, while strictly following privacy regulations. Just give us a shout.

Download the full official EPDB document. PDF, 1MB


Partnering with you to simplify digital challenges, delivering tailored strategies with surgical precision, transparency, and results-driven focus.