Dark Patterns in Cookie Banners: CNIL issues formal notice to website publishers

12 December 2024

In response to many complaints from data subjects, the French Data Protection Authority (CNIL) has issued orders to comply to website publishers to modify their cookie banners, which are considered to be misleading.

The CNIL has received complaints about dark patterns on cookie consent banners encouraging data subjects to accept cookies. 

As a reminder, with certain exceptions, cookies can only be used with the consent of data subjects. Moreover, rejecting cookies should be just as easy as accepting them.

The law does not impose any particular way of presenting choices on the cookie banner. On the other hand, publishers must be careful to choose designs that do not mislead the data subject, if consent is to be valid.

The information displayed on the cookie banner must be clear and complete, specifying the purpose of any cookies that may be used and the means of rejecting them.

When it receives a complaint, the CNIL analyzes cookie banners on a case-by-case basis, in light of the French Data Protection Act (Article 82), its guidelines, the recommendation on cookies and the final report on cookie banners adopted by the European Data Protection Board (EDPB) on January 17, 2023.

It is on the basis of these elements that, following the investigation of complaints, the CNIL issued orders to comply several website publishers to modify their cookie banners because:

  • the possibility of rejecting the use of cookies is not as easy as accepting them;
  • they encourage data subjects to consent to the use of cookies through ambiguous or misleading designs.

Specifically, the non-compliant practices observed include the following :

  • The reject option is presented in the form of a clickable link whose choice of color, font size, and font style disproportionately emphasizes the acceptance option over the reject option;
  • the location of the reject option is so embedded in the information that it is not readily apparent;
  • the reject option is placed next to other paragraphs without sufficient spacing to visually distinguish it from all other information;
  • the accept option is presented multiple times in the banner, while the reject option is presented only once and in non-explicit terms ("I decline non-essential purposes").

The President of the CNIL considered that these cookie banners constituted a violation of the French Data Protection Act (art. 82) and issued orders to comply website publishers to modify their cookie consent banners within one month so that the consent obtained would be valid.

The CNIL urges all stakeholders to ensure that their practices comply with the requirements of the General Data Protection Regulation (GDPR) and the ePrivacy Directive.