But is a ‘reject all’ option legally required?
Mark Gracey from Mark Gracey GDPR has looked into this for us, and the ICO have said:
Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines
Mark says this response is not surprising, given that the GDPR consent rules and the cookie rules are clear on this:
- Consent must be freely given by providing an affirmative action and it should be as easy to withdraw consent as it is to give it, and
- You need consent for all but essential cookies (eg. “essential” for running the website, not your business) and that consent should be collected before the cookies are placed, particularly for non-essential, privacy intrusive cookies
There are no specific rules about settings driven opt-outs, i.e. presenting the website user with two options: ‘accept all’ and ‘change your settings’. In fact, recent discussions with the ICO helpline, highlighted that a settings-led approach would suffice. With the ‘basic’ cookie guidance from the ICO stating:
To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.
But more detailed guidance says:
A consent mechanism that emphasises ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach, as the online service is influencing users towards the ‘accept’ option.
The ICO have rarely taken action against cookie banners, so it does feel these recent statements are a change in policy. However, the UK government have said they want to make changes in the law regarding cookies, so it seems odd for the ICO to take this stance now.
Only time will tell if we start seeing enforcement/fines, but we are seeing more cookie banners on websites that make it easier to ‘reject all’ than before.