How the NOYB 2024 Cookie Report Validates the AesirX Consent Model

The recently published NOYB 2024 Cookie Report provides a comprehensive analysis of cookie banner practices across the EU, highlighting the regulatory stance of national Data Protection Authorities (DPAs) on key consent issues. At AesirX, we are pleased to see that our consent model aligns closely with the best practices identified in this report, reinforcing our commitment to transparency, user control, and compliance.

Key Findings from the NOYB 2024 Cookie Report

The NOYB report sheds light on several crucial aspects of cookie consent that resonate strongly with the AesirX approach. Here are the main takeaways from the report’s visual overview:

1. Requires Cookie Reject Option in the First Layer

   • Consensus: All DPAs agree, with Ireland yet to take a position.
   • AesirX Implementation: Our consent model prominently features a reject option on the first layer, ensuring users can easily opt-out without having to navigate through additional screens.

2. Considers Pre-Ticked Boxes Illegal

   • Consensus: All DPAs agree.
   • AesirX Implementation: We do not use pre-ticked boxes. Consent must be an affirmative action by the user, reinforcing the principle of clear and informed consent.

3. Considers a Link Option to Be Misleading

   • Consensus: 8 DPAs agree, 3 have no position yet, and 3 do not agree.
   • AesirX Implementation: Our model avoids using link options for consent actions, opting instead for clearly visible buttons to prevent any confusion or misleading practices.

4. No Nudging Through Different Button Colours

   • Consensus: 7 DPAs agree, 3 have no position yet, and 4 do not agree.
   • AesirX Implementation: We ensure that all buttons are designed with equal prominence and color to avoid any visual bias towards consent.

5. No Nudging Through Button Contrast

   • Consensus: 7 DPAs agree, 3 have no position yet, and 4 do not agree.
   • AesirX Implementation: Similar to button colors, our consent banners maintain consistent contrast to prevent any undue influence on user decisions.

6. Legitimate Interest for Non-Essential Cookies Is Illegal

   • Consensus: 7 DPAs agree, 3 have no position yet.
   • AesirX Implementation: We strictly require user consent for all non-essential cookies and other tracking technologies, adhering to the principle that legitimate interest is not a valid basis for their installation.

7. Wrong Classification of Cookies Without Consent

   • Consensus: 10 DPAs agree, 4 have no position yet.
   • AesirX Implementation: In our AesirX consent model, we support a granular consent model including opt-in and opt-out, and we do not use cookies at all; however, third-party providers may set cookies once consent is given on site level or on specific and explicit consent based on the need of the user. We do not have categories of cookies but offer actual information of purpose as an explicit and informed natural part of the user experience.

8. Relying on Legitimate Interest for Installing Non-Essential Cookies Is Illegal

   • Consensus: 7 DPAs agree, 3 have no position yet.
   • AesirX Implementation: We ensure all non-essential cookies and other tracking technologies require explicit user consent, avoiding the use of legitimate interest as a basis for their installation.

9. Wrong Classification of Cookies and Therefore Installing Them Without Consent Is an Issue

   • Consensus: 10 DPAs agree, 4 have no position yet.
   • AesirX Implementation: Our consent model ensures that all cookies and tracking technologies are accurately classified, and only those essential are loaded without user consent.

10. Withdrawal Only Permissible Through Permanently Visible Floating Banner

    • Consensus: 13 DPAs and the EDPS report do not agree.
    • AesirX Implementation: We offer intuitive and accessible consent withdrawal options with a floating banner that is discreetly visible in the lower right corner at all times to ensure there is no doubt with the user.

Supporting Compliance Across Jurisdictions

The report underscores the need for a harmonized approach to consent mechanisms, with Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece, Ireland, Luxembourg, Netherlands, Spain, and the overarching EDPB report setting the standard. AesirX’s consent model is designed to meet these diverse regulatory requirements, ensuring compliance across multiple jurisdictions.

Expectations for Future Consensus

In cases where some DPAs have yet to take a position, it is expected that they will align with the majority. This aligns with the broader trend towards stricter consent requirements and greater user control over personal data. In the few cases where the national DPA has been marked as “some-times” we count them as being in agreement with the individual item in overview as that is the safest position to take from a compliance perspective.

Understanding the Role of the EDPB in the EU

The European Data Protection Board (EDPB) plays a pivotal role in the EU's data protection landscape, ensuring consistent application and enforcement of the General Data Protection Regulation (GDPR) and other privacy laws across member states. Established by the GDPR, the EDPB consists of representatives from the data protection authorities (DPAs) of each EU member state, the European Data Protection Supervisor (EDPS), and the European Commission.

EDPB's Functions and Responsibilities:

1. Guidance and Recommendations:

   • The EDPB issues guidelines, recommendations, and best practices to clarify and interpret the GDPR and other EU data protection laws. These documents help organizations and DPAs understand and implement their legal obligations consistently across the EU.

2. Consistency Mechanism:

   • One of the key roles of the EDPB is to ensure the consistent application of the GDPR across all member states. The consistency mechanism allows the EDPB to provide binding decisions on cross-border data processing activities, ensuring that DPAs do not diverge in their enforcement actions.

3. Cooperation Among DPAs:

   • The EDPB facilitates cooperation and information exchange among DPAs. This collaborative approach helps harmonize the enforcement of data protection laws and addresses cross-border data protection issues effectively.

4. Handling Cross-Border Complaints:

   • For issues involving multiple member states, the EDPB provides a platform for DPAs to cooperate and reach a consensus. This ensures that individuals' data protection rights are upheld consistently, regardless of where the data processing activities occur within the EU.

5. Binding Decisions:

   • In cases of disputes between DPAs on cross-border data processing activities, the EDPB can issue binding decisions. These decisions ensure uniformity in how data protection laws are interpreted and enforced across the EU.

6. Relation to National DPAs:

   • The DPAs in each EU member state are responsible for overseeing the application of data protection laws within their jurisdictions. They investigate complaints, conduct audits, and take enforcement actions against organizations that violate data protection laws. The EDPB supports these national authorities by providing guidance and ensuring that their actions are aligned with the broader EU framework.

By working closely with the DPAs, the EDPB helps create a cohesive and unified approach to data protection across Europe. This collaboration is crucial for addressing the challenges posed by the digital economy, where data flows across borders and regulatory consistency is vital for protecting individuals' privacy rights.

The EDPB is a cornerstone of the EU's data protection regime, ensuring that data protection laws are applied uniformly and effectively across all member states. Its role in guiding, coordinating, and binding decisions supports the DPAs in their mission to protect individuals' data and uphold privacy standards across the EU.

Understanding Dark Patterns 

What are Dark Patterns?

Dark patterns are design strategies used in user interfaces that subtly guide users into making decisions they might not otherwise make. These deceptive tactics can manipulate users into giving consent, sharing more personal information, or making purchases unintentionally. Common dark patterns include pre-ticked boxes, misleading link options, and the use of different button colors to nudge users towards certain actions.

Dark Patterns in Cookie Consent Practices

In the context of cookie consent, dark patterns are particularly concerning because they can undermine genuine user consent, which is a cornerstone of data privacy regulations like the General Data Protection Regulation (GDPR). The NOYB 2024 Cookie Report highlights several dark patterns that are prevalent in cookie consent banners, including:

1. Pre-Ticked Boxes: These assume consent by default, forcing users to opt-out rather than opt-in, which is against the principle of informed consent.
2. Misleading Link Options: Using links instead of clearly visible buttons for important consent actions, making it harder for users to opt-out or reject cookies.
3. Nudging Through Button Colors and Contrast: Designing consent buttons with different colors or contrasts to make the "Accept" button more prominent, subtly pushing users towards giving consent.

NOYB 2024 Cookie Report and Dark Patterns

The NOYB 2024 Cookie Report provides a comprehensive overview of how national Data Protection Authorities (DPAs) across the EU view these dark patterns. It underscores the importance of eliminating such practices to ensure genuine and informed user consent. Here are some key findings from the report related to dark patterns:

• Reject Option on the First Layer: All DPAs agree that users should be able to reject cookies easily from the first layer of the consent banner, countering the common dark pattern of hiding the reject option.
• Prohibition of Pre-Ticked Boxes: All DPAs concur that pre-ticked boxes are illegal, emphasizing the need for active user consent.
• Misleading Link Options: A significant majority of DPAs agree that using links for consent actions can be misleading, advocating for clearly visible buttons instead.
• Equal Prominence for Buttons: Many DPAs agree that all buttons should have equal prominence and color to avoid visual nudging.

AesirX's Commitment to Avoiding Dark Patterns

At AesirX, we are committed to avoiding dark patterns in our consent model. Our approach aligns closely with the best practices highlighted in the NOYB report:

• Clear Reject Option: Our consent model features a prominent reject option on the first layer, ensuring users can opt-out easily.
• No Pre-Ticked Boxes: We require affirmative action for consent, meaning users must actively opt-in.
• Visible Buttons for Consent Actions: We use clearly visible buttons rather than links to prevent misleading practices.
• Consistent Button Design: All buttons in our consent banners are designed with equal prominence and color to avoid nudging.

By adhering to these principles, AesirX ensures that user consent is truly informed and voluntary, in line with GDPR requirements and the standards set forth in the NOYB 2024 Cookie Report. This commitment to transparency and user control not only fosters trust but also reinforces our dedication to ethical data practices.

Expanding on Key Insights from the NOYB Report

The NOYB 2024 Cookie Report, along with the ePrivacy Directive 5(3) guidelines 02/2023 from November 14, 2023, provides crucial insights that further validate the AesirX approach to consent management:

1. Inclusion of All Tracking Technologies:

   • Importance: Cookies include all tracking technologies such as pixel trackers and JavaScript.
   • AesirX Approach: Our consent model treats all these technologies equally, requiring explicit user consent before any tracking technology is activated.

2. Consent Over Legitimate Interest:

   • Importance: Consent is required for all tracking technologies; legitimate interest does not apply, especially for third-party consent and analytics solutions.
   • AesirX Approach: We require user consent for all data collection activities, ensuring compliance and transparency.

3. Invalid Technical Requirement Claims:

   • Importance: Claims by consent solution providers that their tools are technically required and thus exempt from consent are invalid, especially when combined with claims of legitimate interest.
   • AesirX Approach: We avoid loading consent solution providers as third parties, adhering strictly to user consent requirements.

4. Necessity of User Consent for Analytics Providers:

   • Importance: Whether first-party or third-party, user consent is essential for compliance under the ePrivacy Directive guidelines 02/2023.
   • AesirX Approach: We ensure that all analytics operations, whether first-party or third-party, are conducted only after obtaining explicit user consent.

Loading Consent Solution Providers as Third Parties

The NOYB report also implies significant risks and compliance issues with loading consent solution providers as third-party services. Here’s why AesirX avoids this practice:

• Compliance Risk: According to the ePrivacy Directive guidelines 02/2023, loading consent solution providers as third-party scripts introduces significant compliance risks. Third parties may not adhere to the strict standards required by GDPR and other regulations, making it essential to obtain user consent before loading any third-party services.
• Transparency: Using third-party consent solutions can undermine transparency, as users may not be fully aware of the involvement of external entities in managing their data. AesirX ensures that all data interactions remain transparent and under direct control, enhancing user trust.
• User Trust: First-party consent solutions reinforce user trust by ensuring that all data interactions remain within the direct control of the website they are interacting with. This approach eliminates the risks associated with third-party data handling.
• Data Security: Managing consent in-house minimizes the risk of data breaches and unauthorized access that can occur with third-party providers. By keeping consent management internal, AesirX ensures a higher level of data security and compliance with legal standards.

To First-Party or not; Consent is hot

The NOYB 2024 Cookie Report highlights the critical elements of compliant and user-friendly consent mechanisms. AesirX’s consent model not only aligns with these findings but also exemplifies best practices in data privacy and user consent. By prioritizing transparency, simplicity, and regulatory compliance, AesirX leads the way in ethical data practices with solutions that are based on privacy by design.

Why First-Party Consent and Analytics Solutions Matter:

The EDPB's role in guiding and enforcing consistent data protection standards across the EU cannot be overstated. By ensuring that all DPAs adhere to the same rigorous standards, the EDPB makes it clear that consent must be explicit and informed, and legitimate interest is not a valid basis for installing non-essential cookies and other tracking technologies.

Make the Switch to First-Party Solutions with AesirX:

1. Compliance Across All Jurisdictions:

   • AesirX’s first-party consent solutions are fully compliant with the stringent requirements set by the EDPB and national DPAs. This ensures that your business meets all regulatory obligations, avoiding the pitfalls and risks associated with third-party consent providers.

2. Transparency and Trust:

   • By using AesirX’s solutions, you provide your users with clear and transparent consent options. This builds trust and enhances your reputation as a company that prioritizes user privacy.

3. Enhanced Data Security:

   • Managing consent and analytics in-house with first-party solutions minimizes the risk of data breaches and unauthorized access. AesirX’s approach ensures that all data interactions remain secure and within your direct control.

4. User-Friendly Experience:

   • AesirX focuses on creating user-friendly consent mechanisms that do not rely on deceptive practices. This aligns with the best practices highlighted by the NOYB report, making it easier for users to understand and manage their consent preferences.

By making the switch to AesirX’s first-party consent and analytics solutions, your business can stay ahead of regulatory changes, build stronger user relationships, and ensure robust data security. It’s time to embrace the future of data privacy with solutions that are not only compliant but also ethical and user-centric.

Stay tuned for more insights and updates on how we are enhancing privacy and compliance and should you have any questions please feel free to contact us through our website, book a meeting or reach out to me directly via LinkedIn to discuss how we can work together. 

On a final note, I would like to thank NOYB and Max Schrems for all their hard work in enforcing privacy and, not least, for bringing attention to and raising awareness in an industry that has turned a blind eye to the systematic abuse of personal data for the past decade. 

Ronni K. Gothard Christiansen // VikingTechGuy

Creator, AesirX.io

Try AesirX's Privacy Scanner and Advisor AI today and empower your business with the clarity and confidence to navigate the complexities of data protection for free here: 

Join our community and catch up with all the latest information and news on Telegram https://t.me/aesirx_official_community