Numerous websites utilize cookies, which are generally divided into ‘essential’ (functioning website) and ‘non-essential’ (for example, store important information and user preferences) categories. The regulation of cookies falls under the ePrivacy Directive, translated into national laws of EU Member States. The ePrivacy Directive mandates that websites offer transparent information about cookie usage and seek consent for placing non-essential cookies.

Currently, there are different approaches within the European Union (EU) with regards to accepting and denying consent for the placement of cookies. The first approach includes both “Accept All” and “Reject All” options displayed in the initial layer of a cookie consent management solution. The second approach features only the “Accept All” option in the first layer, accompanied by a link to the second layer of the cookie consent management solution where the visitor can reject the use of non-essential cookies.[1]

The prevailing approach seems to lean towards the first method: an “accept all” and “reject all” in the first layer. Specifically, the Belgian, Austrian and Spanish data protection authorities are in favor of presenting both options in the first layer, which has even been enforced by the Franch data protection authority.[2]  The German[3] data protection authorities do not require a “reject all” when, for example, the consent option is also not displayed in the first layer. The Irish[4] data protection authority indicates that it is sufficient for there to be a consent button in the first layer and a link to further and more detailed information in the second layer.

Having to click various times to reject the non-essential cookies is, by those who view the first approach as GDPR compliant, viewed as a harmful nudge technique that reduces control over personal data and discourages a visitor from rejecting consent yet steers the visitor to provide consent (as it is easier and does not require much effort), it is a clear influencing technique. Though the GDPR and the ePrivacy Directive do not explicitly dictate that rejecting consent should be as easy as consenting, it is argued that this can, in fact, be deducted implicitly from the GDPR.  The GDPR dictates that consent must be freely given, informed, specific and unambiguous.[5] The data protection authorities in favor of the first approach question whether requiring the visitor to conduct multiple clicks to be able to reject consent aligns with the GDPR consent requirements and, as such, pulls into doubt whether the method through which consent is asked, is valid. Specifically, is consent truly freely given while keeping in mind the nudging technique used to steer the consumer in a certain direction. Additionally, the GDPR includes the fairness principle: the same data protection authorities find that that offering an equal and same way of rejecting cookies as opposed to consent to cookies, is fair.

Also within the Netherlands, this is a hot topic. Minister Alexandra van Huffelen of Digital Affairs has written a letter to the Second Chamber. In her letter, she informs the Second Chamber that often websites use dark patterns or nudging techniques to influence the choice of the visitor, the example of the difficulty of rejecting non-essential cookies.[6]

The Dutch Authority for Consumers and Markets (ACM) is the supervisor of the Dutch Telecommunication Act (implementation of the ePrivacy Directive) and the Dutch Data Protection Authority (DPA) is the supervisor of the GDPR, who can both regulate such matters. The CJEU has already ruled that consent cannot be given by a pre-tickets box, rendering such consent invalid.[7] Under the European Data Protection Board (EDPB) a Cookie Banner Task Force has been established. In their January 2023 report, they discuss how different practices, such as dark patterns, relate to the ePrivacy Directive and the GDPR.[8] The EDPB also issued a guideline on this dark patterns on social media, potentially also relevant.[9]

Evidently, efforts at European level are being made to provide more clarity on this issue. Clear though is that the majority of the Member States find that both a “accept all cookies” and “reject non-essential cookies” in the first layer of the cookie banner is the GDPR compliant route. Important is that the approach concerning the rejection or acceptance of consent is streamlined and made harmonious across the European Union thereby enhancing consumer protection and control over personal data.

[1] “Reject All” button in cookie consent banners – An update from the UK and the EU | Technology Law Dispatch

[2] Belgium Checklist on Cookies; Austrian Guidance on Cookies; Spanish Guidance on Cookies; CNIL on refusal and acceptance of cookies

[3] German Guidance on Cookies

[4] Irish Guidance Note: Cookies and other tracking technologies

[5] Article 6 GDPR.

[6] Letter minister Alexandra van Huffelen of Digital Affairs concerning cookies to the Second Chamber

[7] CJEU 1 October 2019, C-673/17, ECLI:EU:C:2019:801

[8] Report cookie banner taskforce | European Data Protection Board (Europa.eu)

[9] Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognize and avoid them | European Data Protection Board (Europa.eu)