The CNIL Orders Website Publishers to Modify Misleading Cookie Banners

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

EUROPE

The CNIL Orders Website Publishers to Modify Misleading Cookie Banners

The French CNIL announced that it ordered several website publishers to modify, within one month, their consent banners that the CNIL found to be misleading. In particular, the announcement cites the following practices by the publishers as misleading and non-compliant:

• “the opt-out option takes the form of a clickable link whose choices of color, character size and font disproportionately highlight the opt-in option compared to the opt-out option;
• “the opt-out option is confused with the information notices because of its location to the point that it is not easily discernible;
• “the opt-out option is attached to other paragraphs without sufficient spacing to visually distinguish the opt-out method of the tracers from all the other information brought to its attention;
• “the acceptance option is presented several times in the banner while the refusal option is only present once, moreover, in non-explicit terms (“I decline non-essential purposes”).” 

TAKEAWAY

In its announcement, the CNIL cites a report created by a Cookie Banner Taskforce and adopted by the EDPB in 2023, reflecting the common denominator agreed by supervisory authorities in their interpretation of GDPR and the ePrivacy Directive when handling cookie complaints from advocate noyb; however, the CNIL’s requirements seem to take the EDPB requirements one step further.

For example, the taskforce found that a “a general banner standard concerning colour and/or contrast cannot be imposed on data controllers”, but rather than a case-by-case verification would need to be conducted to determine whether the contract and colours are “obviously misleading.” The only such practice the taskforce could cite as “manifestly misleading” was “an alternative action is offered (other than granting consent) in the form of a button where the contrast between the text and the button background is so minimal that the text is unreadable to virtually any user.” The report does state that it reflects a “minimum threshold”, but, based on the examples given, it appears that the CNIL may impose requirements a step above such threshold. 

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.