If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.
I had the pleasure to learn a lot about this while working in the higher levels of some german company with a somewhat questionable track record.
Here's what you can do (only applies to Germany, but might be similar elsewhere):
Complain to the data protection authority of your local state in writing. These complaints will be followed up by the authority and if enough of them accumulate, the company will have a bad time and the aforementioned incentive equation will be bent towards the end that favors user privacy.
Don't write angry emails. Nobody cares and you waste time.
Pretty clearly so. It seems weird to me that so many companies put up a cookie banner in order to avoid breaking the law, and then break the law in order to make it less effective. I suppose the win here is that if the (fairly toothless) regulators notice you can say "oh we thought this was enough" and then tweak it. But in that case why not just have no banner at all, and wait until they notice in the first place?
Just as daft as the extra-US sites that choose to show no content to EU geolocated origins instead of complying with the law. Which is... also illegal under the letter of the law, so why not just ignore the law. Presumably you're probably out of the jurisdiction anyway if you're bothering to do this.
Also consider visitors are used to these prompts, without one they may wonder: does this site follow the law?
But to elaborate a bit: At least in Germany (and I believe this applies more or less everywhere) if you install a 1st-party tracking method based on 1st-party cookies, that doesn't fall under the 3rd-party consent requirement and you don't need consent. That means you can track your valuable retention numbers and won't need a consent banner. It's a common misunderstanding that you need that consent for all cookies. You only need it for cookies that aren't required to do your business. And 3rd-party cookies aren't.
It's just that marketing typically don't want to spend any money on this, because these retention numbers turn out to not be enough value to justify the investment. I wonder if they are as valuable as you described at all.
Edit: I should have said 1st-party tracking that doesn't collect personally identifiable information (PII).
A 1st party tracking solution is in no way considered needed to deliver the service the user requested. Only things like remembering my shopping basked are necessary to deliver the services of a webshop. And you cannot use that cookie for other purposes (like counting visitors).
Just don't collect PII beyond was is absolutely essential for your application, and don't share it with third parties. Bam you don't have to get consent. Knowing what classifies as PII is still a hard problem because its full of so many conditionals. Email is not PII unless you have some part of their name for example and it counts if your company receives an email from that person that includes their name in the From field.
All the cookie banners out there are designed to make people weary of them into just accepting the previous practices. It's malicious compliance.
The test isn't whether collecting that data is required to do your business - it is whether collecting that data is required to do what the user is asking you to do. So if (for example) you are tracking your users to see where they click in your web site in order to improve your web site, then that is only required for your business - your user has no interest in that, didn't ask for it, and therefore must be asked for consent for you to do it.
Why is it so hard to for people to understand that I just want you to serve me the page and bugger off? It's like justifying embedding GPS tracking in pamphlets that people hand out on the street.
I don't want to be tracked period.
Is it that hard?
There’s 90% chance that no, it’s not your business. There’s also a lot of chances that your website is about a product. In which case, it doesn’t make sense to know how many people come and read. People only need the information to know "will I buy that or not?" or, even more frequently "I’ve bought that but I don’t understand something".
Tracking is counterproductive in most scenarios. (but very few understand that)
Once you have worked a while in business or marketing, you will see that it's not that easy unfortunately.
There's a lot of pressure to provide certain numbers or at least to collect them "just to be sure". Typically this requirement comes without any willingness to invest money, because "you can just install Google Analytics for free".
I don't want to justify this at all, because I believe in the long run these numbers aren't worth what people claim they are worth at all. I just wanted to explain that not everyone is "bad" or "anti-social" for complying with "leadership" decisions and installing a CMP and Google Analytics.
Yeah you don't need to do that though. You want to.
Then the user can centrally review what permissions they gave, revoke them etc.
So no sites should have these kind of approval banners.
If the DNT header were set to "no" by default, websites would be happy to track users.
If the DNT header were set to "yes" by default, websites screamed bloody murder and pretended that it didn't represent user choice.
And that leads through to another tip to make your consent request less obnoxious - make sure that plugins like Consent-o-matic do actually work correctly and invisibly with your site.
I you have to have one I'd suggest it have a Reject All button which makes the banner go away without any further clicks.
Nothing is more soul destroying than having to click several times to make the nonsense go away.
The last time I checked (a few years ago) most websites were doing a serious overkill with the banners, where the law didn't require it. Also, for certain companies the possible penalty for not having a banner was so low that it didn't make sense to have such banners at all.
GitHub used to not have cookies for tracking purposes either but it looks like some people couldn’t live without tracking users so it’s back after 2 years on some subdomains: https://github.blog/2020-12-17-no-cookie-for-you/
Make sure that it does work with extensions like I don't care about cookies. That one is usually easy but make sure it works with the uBlock script too.
Do not have that the banner force any site reloads. Analytics for example can be loaded into a page wihtout reloading.
If that is done the ad blocker users will never notice the banner.
Pointing out this stuff forces you into the path of requiring that people click on it before being able to navigate the website, which is extremely intrusive, and makes all the marketing people insist that you apply dark patterns.
SO, as others have already said, definitely a "reject all" and be done with it right in the beginning, without the need for any forther clicks. Better yet if the banner is just a sliver on the side that doesn't interrupt my reading experience (clearly, as long as I didn't click "yes" on cookies, it can't set any; so it would be default-no, allows me to read, and if I want to click in the corner for something else, I can. Even better if it has an "X" to close that unintrusive side window, and of course the X gets treated as "reject all".
See, the problem is solved even before it appeared - if your company will comply with the law then the banner would not be obnoxious by design.
What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
I know my company's website has a pointless cookie modal - the necessary cookies are just for session affinity on a gateway (which I don't believe you'd need a modal for anyway), and the unecessary cookies are from one analytics integration that's been used just once since it was set up, and another that is used for the most basic reports that you could get from just the access logs.
For EU things you must make sure what you're doing with this aligns with consent from the user / other justifications. Whether it's server side or cookies doesn't matter for GDPR, it's the collection & use of the data.
To OP, try not to collect data at all, and if you need to then make the consent banner not block the use of the website. Also don't animate it in, just have it there.
The ICO guidance in the UK is pretty good https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Note that consent is not always the best justification for lawful processing.
This still gets you plenty of actionable analytics information: where geographically people are located (via GeoIP), what pages are most popular, what platforms (including desktop vs mobile) people are using.
I've been using https://plausible.io for analytics on a bunch of my sites for a couple of years now and I honestly don't miss the extra level of detail I got from cookie-based analytics I've used in the past.
edit - make sure you've actively made this decision and documented the assessment.
Do not give people options about cookies - either they accept (and dismiss the notice), or they leave
When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
That's outright and explicitly illegal.
(I just thought I'd make that point in a quicker and simpler way than the otherwise great sister post.)
Because some are required for the functioning of the site. They can justify dealing with those without you approving it.
Some are there for advertising, that's not required for you to use the site but they'd definitely like to. So they need you to actively consent.
You're obligated to give them a way to opt out while continuing to use your service, and it should be as easy to decline as it is to accept[0]. The funny part, of course, is that countless services have put up banners that don't make it easy at all to reject, which means they're still not compliant, they just make the legal team feel warm and fuzzy.
That's why you see necessary vs all, because it's "can we track you or not". If you're just doing absolutely required cookies (e.g. session cookie), you don't even need a banner.
https://noyb.eu/de/pay-or-okay-tech-news-site-heisede-illega...
