The French Data Protection Authority (known as the CNIL) issued a formal notice to several website publishers in December, after receiving complaints about 'dark patterns' in cookie consent banners which encourage individuals to accept non-essential cookies. Publishers have a one-month deadline to modify their cookie banners to address the CNIL's concerns, and will face significant fines if they fail to do so. 

Cookie banners and dark patterns
The ePrivacy Directive (known colloquially as "the cookie law") doesn't specify exactly how a cookie banner should present a user with their choices. However, the information given to users must be clear and complete, and the CNIL in particular has been clear in its stance that rejecting cookies should be just as easy as accepting them.

On the other hand, "dark patterns" are manipulative design practices that encourage users toward certain actions over others, for example, nudging users to accept (i.e. give their consent for) non-essential cookies.  

The CNIL observed the following non-compliant practices and examples of dark patterns in cookie banners (among others):

• Prominently displayed "Accept" buttons, in contrast to "Reject" buttons which are presented as clickable links, or in a colour, font size, or font style which makes them less visible;
• The 'reject' option is presented in ambiguous and non-explicit terms, such as "I decline non-essential purposes", which creates confusion for users;
• Users are presented with multiple "Accept" buttons, while the "Reject" button appears only once;
• The "Reject" button is too embedded in the information for users to spot, or placed too close to other text to be distinguishable; and
• Users need to click through multiple pages or sub-menus to reject cookies, making the process more cumbersome than accepting them.

What does this mean for consent?
Under the GDPR, consent must be "freely given, specific, informed and unambiguous" in order to be valid. However, in the CNIL's view, using dark patterns and other similar design tactics in cookie banners undermines the validity of the consent obtained through such banners; is there really a genuine choice if a user is nudged into consenting by a big, shiny "Accept" button?

Best practices for cookie banners
To avoid falling foul of the CNIL's cookie guidelines, and to avoid the validity of their cookie consent being called into question, website publishers should revisit their cookie banners to ensure they are adopting the following best practices:

• Use clear and transparent language to explain the options to users;
• Make the "accept" and "reject" buttons equally visible and prominent;
• Ensure users can reject cookies just as easily as they can accept them - avoid extra clicks, and new pages;
• Don't allow cookies to be set before a user has consented; and
• Give users information about cookies in a clear and complete way.  

Given the CNIL's history of imposing substantial penalties for cookie-related violations, e.g. Amazon fined €35 million, Facebook €60 million, Google €150 million and TikTok fined €5 million - this notice should not be taken lightly. It is perhaps not surprising that the CNIL has issued this formal notice, as it participated in the Global Privacy Enforcement Network's (G-PEN) study on deceptive dark patterns last year – for more see our article here. 

The CNIL are not alone in taking enforcement action to ensure cookie compliance, the ICO has recently announced the expansion of its work to improve cookie compliance across the top 1,000 websites as part of its new online tracking strategy, as well as consulting on its "storage and access" (cookies) guidance – for more see our article here. While the recent ICO announcement is not about deceptive dark patterns per se, the ICO also took part in the G-PEN study, in fact there were 26 privacy enforcement authorities from around the world who participated so it is clear such issues are at the top of many a regulatory agenda. It is important to note that it is not only the regulators who are interested, the European privacy rights group, noyb, has also filed a complaint against BeReal with the CNIL for their cookie banner - see our thoughts here.

So what happens next? Organisations that received notices from the CNIL have one month to comply, so watch this space for any further enforcement action.