Offer Users One-Click Cookie Rejection

France’s data privacy watchdog has fined Google and Facebook a combined €210m (£176m) for making it too difficult for users to reject their cookies. For far too long now, this has been an area where companies and other organisations have been stretching the interpretation of cookie compliance requirements. By requiring multiple clicks to refuse cookies and one to accept them, they are essentially nudging user behaviour (most of whom will favour convenience) into accepting cookies and behavioural tracking, which runs against the spirit and guidance of the EU and UK data privacy legislation.

I frequently advise companies that I work with on data privacy in the EU and UK, that the following three options should be made available to website visitors when non-essential cookies are being used. These are:

• Accept All Cookies
• Reject All non-essential cookies
• Customise Cookies (let the user decide which non-essential cookies they wish to accept/reject)

Omitting the one-click option to reject all non-essential cookies runs against EU and UK data privacy legislation and the data privacy rights of users. Even two clicks to reject such cookies is one too many. If accepting all non-essential cookies can be done with one click, then there can be no reasonable excuse for not doing the same for rejecting all of these, and certainly not for major tech companies like Google and Facebook.

When I see options being presented to users in this way, I expect that these are a result of several possibilities or a combination of them, including:

• Inadequate knowledge of UK/EU data privacy legislation within the organisation
• A weak data privacy function that lacks senior management support and awareness
• Counter data privacy pressure from internal marketing, sales or other business functions
• Senior management’s acceptance of the risk of fines

It should be said that national data privacy authorities are also partly responsible for not doing more to increase awareness in this area, which has resulted in the ubiquity of such behaviour. Other companies have been seeing tech titans such as Google and Facebook using these strategies for a great deal of time, and without consequence, so naturally many have assumed that this is acceptable for them to replicate.

Although far too late, the decision by France’s data privacy watchdog should be welcomed and one can only hope that other data privacy authorities will begin to increase awareness in this space and remind organisations that continuing to use more arduous methods of rejecting non-essential cookies may result in significant fines being levied against them.