Coloured cookie consent can be illegal nudging
Companies have a wide degree of creativity when applying colours and different designs for cookie consent solutions on websites, etc. However, this flexibility has limits, which the Danish Data Protection Agency just emphasized in a new case. For example, there is a limit when the choice of colours "pushes" users in a certain direction. The reason is that it undermines their rights.
A large Danish company used a consent solution for cookies on the company's website that offered users three different options. The user could choose between:
- 'Accept all' cookies by clicking a green button
- 'Adapt [cookies] in settings' by clicking a grey button, and
- 'Only necessary' cookies by clicking a red button
Most of the website users clicked on the green button and accepted all cookies.
Dangerous to 'push' users with traffic light colours
The Danish Data Protection Agency emphasized that companies generally are free to apply any preferred design concerning layout and content. However, at the same time, companies cannot illegally "nudge" users into making certain choices.
On this basis, the Danish Data Protection Agency found that the company's use of colours affected the users' choices. Using the "traffic light-like" system was therefore nudging and illegal.
Because the 'Accept all’-button was green, it was a circumvention of the right to an informed choice – and thereby rights – for the website users. That, among other things, led the Danish Data Protection Agency to issue a statement of serious criticism towards the company.
IUNO’s opinion
This case is interesting because many companies use cookie consent in exactly the “traffic light-like” colour scheme format on their website. By applying that choice of colours, the consent could breach the applicable data protection rules.
IUNO recommends that companies understand the latest guidance on cookie rules. Although the choice of colors is one focus point, many requirements need attention. Companies that use other forms of colour combinations as part of the design of the cookie consent should also consider whether the colour combination could, in reality, pushes the user into going in a certain direction.
[The Danish Data Protection Agency's judgment in case 2021-41-0149 of 27 October 2022]
A large Danish company used a consent solution for cookies on the company's website that offered users three different options. The user could choose between:
- 'Accept all' cookies by clicking a green button
- 'Adapt [cookies] in settings' by clicking a grey button, and
- 'Only necessary' cookies by clicking a red button
Most of the website users clicked on the green button and accepted all cookies.
Dangerous to 'push' users with traffic light colours
The Danish Data Protection Agency emphasized that companies generally are free to apply any preferred design concerning layout and content. However, at the same time, companies cannot illegally "nudge" users into making certain choices.
On this basis, the Danish Data Protection Agency found that the company's use of colours affected the users' choices. Using the "traffic light-like" system was therefore nudging and illegal.
Because the 'Accept all’-button was green, it was a circumvention of the right to an informed choice – and thereby rights – for the website users. That, among other things, led the Danish Data Protection Agency to issue a statement of serious criticism towards the company.
IUNO’s opinion
This case is interesting because many companies use cookie consent in exactly the “traffic light-like” colour scheme format on their website. By applying that choice of colours, the consent could breach the applicable data protection rules.
IUNO recommends that companies understand the latest guidance on cookie rules. Although the choice of colors is one focus point, many requirements need attention. Companies that use other forms of colour combinations as part of the design of the cookie consent should also consider whether the colour combination could, in reality, pushes the user into going in a certain direction.
[The Danish Data Protection Agency's judgment in case 2021-41-0149 of 27 October 2022]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing