Colored cookie consent can be illegal nudging
Companies have a wide degree of creativity when applying colors and different designs for cookie consent solutions on websites, etc. However, this flexibility has limits, which the Danish Data Protection Agency just emphasized in a new case. For example, there is a limit when the choice of colors "pushes" users in a certain direction. The reason is that it undermines their rights.
A large Danish company used a consent solution for cookies on the company's website that offered users three different options. The user could choose between:
- 'Accept all' cookies by clicking a green button
- 'Adapt [cookies] in settings' by clicking a grey button, and
- 'Only necessary' cookies by clicking a red button
Most of the website users clicked on the green button and accepted all cookies.
Dangerous to 'push' users with traffic light colors
The Danish Data Protection Agency emphasized that companies generally are free to apply any preferred design concerning layout and content. However, at the same time, companies cannot illegally "nudge" users into making certain choices.
On this basis, the Danish Data Protection Agency found that the company's use of colors affected the users' choices. Using the "traffic light-like" system was therefore nudging and illegal.
Because the 'Accept all’-button was green, it was a circumvention of the right to an informed choice – and thereby rights – for the website users. That, among other things, led the Danish Data Protection Agency to issue a statement of serious criticism towards the company.
IUNO’s opinion
This case is interesting because many companies use cookie consent in exactly the “traffic light-like” color scheme format on their website. By applying that choice of colors, the consent could breach the applicable data protection rules.
IUNO recommends that companies understand the latest guidance on cookie rules. Although the choice of colors is one focus point, many requirements need attention. Companies that use other forms of color combinations as part of the design of the cookie consent should also consider whether the color combination could, in reality, pushes the user into going in a certain direction.
[The Danish Data Protection Agency's judgment in case 2021-41-0149 of 27 October 2022]
A large Danish company used a consent solution for cookies on the company's website that offered users three different options. The user could choose between:
- 'Accept all' cookies by clicking a green button
- 'Adapt [cookies] in settings' by clicking a grey button, and
- 'Only necessary' cookies by clicking a red button
Most of the website users clicked on the green button and accepted all cookies.
Dangerous to 'push' users with traffic light colors
The Danish Data Protection Agency emphasized that companies generally are free to apply any preferred design concerning layout and content. However, at the same time, companies cannot illegally "nudge" users into making certain choices.
On this basis, the Danish Data Protection Agency found that the company's use of colors affected the users' choices. Using the "traffic light-like" system was therefore nudging and illegal.
Because the 'Accept all’-button was green, it was a circumvention of the right to an informed choice – and thereby rights – for the website users. That, among other things, led the Danish Data Protection Agency to issue a statement of serious criticism towards the company.
IUNO’s opinion
This case is interesting because many companies use cookie consent in exactly the “traffic light-like” color scheme format on their website. By applying that choice of colors, the consent could breach the applicable data protection rules.
IUNO recommends that companies understand the latest guidance on cookie rules. Although the choice of colors is one focus point, many requirements need attention. Companies that use other forms of color combinations as part of the design of the cookie consent should also consider whether the color combination could, in reality, pushes the user into going in a certain direction.
[The Danish Data Protection Agency's judgment in case 2021-41-0149 of 27 October 2022]
Similar
(Data)sharing is caring
Missing cookie consent resulted in serious criticism
DPO across the Nordics
Company spilled the tea and got reported to the police
Deadline to create whistleblower schemes for medium-sized companies approaching
Criticism and order to correct processing activities on “No thank you-list”