The featured image ^^above^^ is from a recent post by NOYB. In general I support the efforts of NOYB i.e. Max Schrems et al. That is, consent banners have been deceptive/incorrect for years and going after bad actors is justified. Whether those sites are deliberately using dark patterns, or simply complacent, ignorance is no excuse!
I first presented the scale of the consent problem at @Superweek in 2020. That work showed 98% of sites were getting consent wrong at that time*. That is an incredible statistic, though in line with other academic studies i.e. a generally very high level of consent negligence. However, there is a fine balance between pursuing compliance adherence, and coming across as a “privacy fundamentalist“.
*I use data from the audit tool verified-data.com for my studies into consent compliance. For transparency, I am behind the development of the tool.
The Optimising Myth from NOYB
That NOYB post is the perfect example for my dichotomy with the NOYB (fyi I have made several donations to their cause). Of course, it is easy to agree that it should be very simple and very transparent for users to opt-out of tracking. Note, I deliberately avoid using the word cookies – more on that later. But to say that such banners need to offer ONLY a binary choice to the visitor and with identical opt-in/opt-out buttons, crosses the line into “privacy fundamentalist” territory imo.
Instead, it is entirely possible and legal to use nudge methods to encourage your users to favour opt-in. I describe this in the whitepaper: Best Practice Consent Guide, which is freely available and not a pitch! Note, I went out of my way to get legal advice to support the approach I advocate. Essentially the simple principle is to transparently require the user to make 2-clicks to opt out of tracking, with only 1-click for opt-in.
Below shows the alternative approach:
Nudging is NOT Deceptive (and is legal)
Please read my detailed consent guide before posting a comment on this article. As you will read, I advocate best practice principals for deploying a compliant consent banner – no dark patterns and no hidden agenda. I have been actively advising clients to do this for years and even turned down those that refuse to do so. All the areas I discuss are important to follow – particularly Section 5.
The Five Key Principles of Consent:
- No Tracking Before Consent
- No Pre-Selected Consent
- Explicit Consent Only
- No Cookiewall
- Honour Explicit No
There is of course a reason for my nudge approach – the difference in opt-in rates is striking. A nudge can reverse an opt-in rate as low as 30% to an opt-in rate of 70%. That is, going from a small sub-set of data making life for your analyst and marketing teams a misery, to retaining the vast majority of your data that can still be used to optimise the performance of your web site and its marketing. It’s achieved using a simple and basic marketing nudge. And IF this is done transparently (I deliberately highlight the big IF) along with the other five key principles, the legal advice I received says this is perfectly acceptable and legal within the EU.
The Problem for “Privacy Fundamentalist”
NOYB et al object to the nudge approach, effectively saying consent banners cannot be optimised for improved opt-in rates. They say the banner design is set in stone and it just the luck of the draw what opt-in rate you get. This comes from their interpretation of one line from Article 7 (3) of the GDPR:
“It shall be as easy to withdraw as to give consent.”
However, providing only a binary choice that is identical in design, is a very strict over interpretation. The UK’s data protection authority takes a more pragmatic approach in its guidance document (Tip: do an in-page search for “freedom” to find the relevant section – its a long doc!):
“Furthermore, the UK GDPR is clear that the right to the protection of personal data:
- is not absolute;
- should be considered in relation to its function in society; and
- must be balanced against other fundamental rights, including freedom of expression and the freedom to conduct a business“.
Optimising your consent banner for opt-ins i.e. nudging, is simply a part of being smart at conducting business. Legitimate nudging has always existed.
A Physical Analogy
Online privacy fundamentally relies on the same principals as privacy in the offline world, so I always include a bricks & mortar analogy to illustrate the point. So here is my analogous consent approach:
If I go into a high street store but quickly decide I am in the wrong place, there is no legal requirement to say that I must be able to turn around and leave the store the exact same route/path I came in. For example, maybe there are safety considerations at the entrance to stop people reversing backwards with their carts. Maybe the store simply wants to avoid inconvenience to other shoppers and asks you to take a short cut through the store via their Special Offers section. Either way, so long as it is completely transparent, the exit path is not stupidly manipulating you, you are not locked into the store or unable to leave without buying something, then leaving via a slightly different route is not illegal or unethical.
It’s simply a fact of doing business – just like placing the milk at the back of the store. And I see no evidence that physical shoppers are troubled about this.
Why Consent Is Not About Cookies
So please NOYB, stop referring inaccurately to “cookie banners” – they are consent banners. Of course I understand the SEO reasons why they have chosen the phrase cookie banner instead – its because the mainstream press have referred to them as such for years. The NOYB are simply using a legitimate marketing technique to promote themselves using popular words others use (I am being a little ironic here!)
Why This Matters (or why the NOYB needs to be pragmatic)
Not being a “privacy fundamentalist” matters – it’s actually very important. If privacy law and its advocates are seen to be an ass – preventing honest businesses legitimately doing their marketing, gaining informed consent transparently, benignly tracking in aggregate and not profiling – it will not be taken seriously. Rather, it will be ignored, considered over jealous and lumped together with conspiracy theorists. That is, it will not help embed the strong privacy principles and laws the online world so desperately needs – quite the opposite.
No matter how hard the NOYB tries, it is simply not possible to police the Internet. Going after the big brands creates headlines, but as the NOYB admit themselves, it is a tiny fraction of the problem. What is needed is a mass adoption of good principles and best practise – because it is the right thing to do, and crucially, because it makes sense to ordinary users.
So yes let’s name and shame and take to court bad abusers of consent banners. But please NOYB, be sensible in your approach so that you bring privacy advocates along with you, rather than alienate them with “UX noise” based on a very narrow interpretation of one line in the GDPR.
Nudging visitors to opt-in to being tracked in a transparent way is both ethical and legal. The NOYB need to be able to separate these types of legitimate banners that use simple marketing techniques dating back to the 1800s, from the manipulative and opaque attempts of bad actors.
Please note, previously I used the term “privacy jihadist” in quotes in order to make the context crystal clear. This is deliberate, because imo the devision happening in the privacy debate between privacy advocates is dangerous. Please keep the context of this reference in mind, and not twist it into something that it is not.
That said, moving forward I have decided to use “privacy fundamentalist” and/or “privacy crusader” as alternatives.
Brian thank you for sharing this. I am a young privacy professional who is still on growth and learning path, but I also thought NOYB’s opinion on these cookie/consent banners and requirement to have a clear Reject button was extreme and certainly an over reach.
I am curious to see how a court will interpret that phrase in Art 7 (3) GDPR in the context of consent banners UIs precisely. And specifically the phrase “as easy”. Because the way I see this apply is simply to ensure that the users who consented to being tracked are enabled to access the banner again change their preferences. A small toggle floating on the website would be fit for purpose. The user can then go into cookie settings and make the changes. Most banners are also transparent and explain that this is how they can disable or keep the trackers off.
Also just as another small point as I am thinking about this GDPR phrase. For users that decide to keep the trackers off (as they are by default in the EU) while they surf the website, there is simply no consent to “withdraw just as easy” because there was no consent given in the first place to withdraw…. Withdrawing consent requires submitting it first.
Thanks for the input Rebecca. Agreed that “as easy as” could equally apply to the ability for a user to change their mind. That is often overlooked.
To your last point, at present the best practice approach for consent design is that there is always something for the user to agree to. If you look a my site’s banner, that something is the “Necessary” category i.e. the the scripts and cookies required for the website to run. Essentially, it important for the data controller to know what is running on their site and list these transparently to the user. So ALL visitors are consenting to something.
The whole things is a terrible UX, but that is where we are in order to clean up so much of the bad practice that occurs online.