The “Accept all” button is often the standard for cookie banners. An administrative court has ruled that the opposite offer is also necessary.
Lower Saxony’s data protection officer Denis Lehmkemper can report a legal victory in his long-standing battle against manipulatively designed cookie banners. The Hanover Administrative Court has confirmed his legal opinion in a judgment of March 19 that has only just been made public: Accordingly, website operators must offer a clearly visible “reject all” button on the first level of the corresponding banner for cookie consent requests if there is also the frequently found “accept all” option. Accordingly, cookie banners must not be specifically designed to encourage users to click on consent and must not prevent them from rejecting the controversial browser files.
That’s exactly my point.
The legislation, from the start, should have upheld the do not track and similar settings in browsers. Require websites to check and honour those flags.
Instead, we get some half-arsed requirement to add cookie banners to every website under some vague threat of prosecution (which never seems to happen unless you’re a social media giant) that inconveniences every single user, and often more than once.
This here, now, is a tiny bandage on a gaping wound caused by not doing what was required in the first place.
The ePrivacy Directive from 2002 already covers this so each EU country should have their own laws regulating cookies with regards to this directive.
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32002L0058
(25)
So this should have been a thing since even before GDPR was introduced. Cookie banners or some other form of informed consent like Do Not Track should have been standard and enforced at a country level even before Facebook, Youtube and co even got off the ground.
The story above says its a violation of the German TDDDG law that seems to be based on the ePrivacy Directive so this is them finally using the regulations of cookies that was established over 2 decades ago.
The legislation does exist, it just looks different in each country and no country was bothered to really enforce the law but now it seems GDPR has enabled countries to throw around the whole weight of the EU as opposed to just one country’s weight since its unified across the EU.
I’ve only had to complain to 2 websites (One pretty big website and one small local website) about not having an explicit option to reject specific cookies as outlined in the ePrivacy directive and both websites are now compliant. So it does exist and it does work but nobody is willing to or doesn’t know they can make complaints about websites that don’t comply with cookie consent.
The EU can’t monitor every single website, its just not realistic so its up to users to be informed of their rights and be willing to complain to these websites and then to their local regulator if those websites don’t comply.