Cookie Banner UI/UX Best Practices
Dark patterns are UI/UX cookie banner practices that aim to lure internet users into providing consent for cookies. According to the GDPR, dark patterns are illegal, making consent obtained that way invalid. Read more about it here.
If you want to make data-driven decisions, you want your users to accept your cookies. The users, on the other hand, often ignore cookie consent requests. As a result, website owners want to know where to position the cookie banner and design it to get as many cookie consents as possible. Learn more about GDPR compliance and the GDPR cookie guidelines.
There is an academic paper exploring these questions. It has been conducted by five researchers from the Ruhr University of Bochum and one from the University of Michigan. They have studied what practices work best for a higher acceptance rate.
Before diving deep into the research findings, we want to emphasize that some are about dark patterns, but we do not support them in our cookie banner solutions.
Dark patterns are UI/UX cookie banner practices that aim to lure internet users into providing consent for cookies. According to the GDPR, dark patterns are illegal, making consent obtained that way invalid.
Secure Privacy cookie banners feature no dark banners and obtain consent as per the GDPR cookie consent requirements. We do not support the use of dark patterns, yet many websites all over the internet still do.
About the Research
Name of the paper: (Un)Informed Consent: Studying GDPR Consent Notices in the Field.
When it has been published: Conducted in late 2018 and early 2019, published in October 2019
Who conducted the research: Florian Schaub of the University of Michigan and Christine Utz, Martin Degeling, Sascha Fahl, and Torsten Holz - all of the Ruhr-Universitat Bochum.
Sample: The visitors of a German-language e-commerce website with 15000-20000 unique visitors per month. The cookie consent banners had been shown to a total of 82.890 visitors of that single e-commerce website.
Method: Researches first identified the most common UI/UX practices by gathering data from a sample of notices of 1000 live websites. They showed the most common designs to the 82.890 visitors of the e-commerce website. After collecting data on how a specific user has interacted with the cookie banner, they were asked to fill out a follow-up survey to further explain their selection motivation. More than 100 participants had answered the survey.
What has been explored: Researchers conducted three distinct field experiments to answer the following research questions:
- Does the position of a cookie consent notice on a website influence visitors’ consent decisions? (Experiment 1, n = 14,135)
- Do the number of choices and nudging via emphasis/preselection influence users’ decisions when facing cookie consent notices? (Experiment 2, n = 36,530)
Briefly, what did the research find: The study found that:
- Most of the cookie banners have not been compliant with the GDPR in 2018 and 2019 when the research was conducted.
- Users interact more with cookie consent banners placed on the bottom of the bottom left than other positions.
- Most users either declined the cookies or accepted the default option.
Experiment 1 - Positioning of the Cookie Consent Banner
The first experiment explored how the cookie banner positioning influenced the users’ choice to interact with the banner and/or consent to cookies.
Figure 01: Interaction Rates in Experiment 1 (notice position) arranged pairwise for mobile and desktop users.
When asked why in the follow-up survey, the 16 participants that responded told researchers that the cookie banner prevented them from seeing the website content, so they accepted or declined the cookies to get rid of them.
Experiment 2 - Choices and Nudging
The second experiment explores how internet users interact with cookie consent banners depending on the choices given in the banner.
There had been five different types of cookie banners:
- No option banners, where users could not accept nor decline cookies, but only to dismiss the cookie banner and remove it from the screen,
- Confirmation banners, where users could only accept the cookies
- Binary banners, with one button for accepting and one for declining cookies
- Cookie banners with consent requests for each processing purpose
- Cookie banner where the user had been allowed to choose among the vendors that process data on behalf of the controller
All the banners had a nudging and non-nudging version, except the no-option banner.
Figure 02 - Visitors' consent choices in Experiment 2. "Accept"/"Decline" indicate that (all) options were accepted or declined. "Other" includes those who accepted/declined only some options. Bold figures indicate default options.
The charts above show that nudging and preselection of processing purposes influence cookie banner interaction.
Users had been more likely to interact with the banner if the ACCEPT button was highlighted instead of just a link for accepting cookies.
In the binary banners, where there was an ACCEPT and a DECLINE button, users were more likely to accept the cookies if the ACCEPT button was highlighted instead of the DECLINE button.
In addition, the research showed that pre-selected checkboxes for giving consent to specific processing purposes increase the chances of giving consent. Although explicitly prohibited under the GDPR and has been subjected to the Planet49 decision, it turns out that it works well in practice.
When users had been given non-pre-selected checkboxes, they had not interacted with the cookie banner as much. Moreover, providing them with information on vendors that process their personal data further decreased the interaction rates.
Immensely few website visitors bothered to select processing purposes at all.
In the follow-up survey, 38 participants who opted for the processing of specific purposes praised the increased transparency of the cookie banners providing the opportunity to make their own selection.
Others were not happy with the technical language (such as a necessary cookie). In contrast, those who declined cookies had stated that they did not need a personalized experience because they had come only for the website content.
When it comes to declining cookies, most of the follow-up survey participants had stated that they expected that the website wouldn’t work properly upon declining cookies.
Those who accepted the cookies knew, to some extent, how cookies work and how they improve their website visits.
It turns out that it doesn’t influence a lot. The research showed only a minor difference in lowering the acceptance rate when the word “cookie” had been mentioned in the cookie banner text.
What Does This Mean for Your Cookie Banner?
It means that you need to experiment.
First and foremost, this research has been conducted on only one website and in only one country. All the visitors have been German speakers. The results might have differed if the study had been done in another country and on other websites. That is why you should not blindly rely on the research findings.
You can improve the acceptance rate of your cookie banner by taking the following two steps:
- Learn what the legal requirements for your cookie banner are. Start by reading our comprehensive guide to cookie banners and determine the standards you need to meet. Avoid dark patterns at all costs because the consent collected that way is invalid. Sign up for our cookie banner solution if you don’t want to bother with the requirements. It has all the requirements embedded in itself. Moreover, we offer many designs that allow you to…
- Experiment. Check out how your users react to different positions, banner texts, design, and other variables. Your users are unique, so no other research can give you as accurate results as your own experiment with them.
As we mentioned above, signing up with Secure Privacy is an excellent place to start because our cookie consent banner solution is compliant with the GDPR, LGPD, CCPA, PIPEDA, and other laws you need to comply with. We also offer multiple designs to choose from.
The Ultimate Guide to GDPR Data Breach Responses
If you think that data breaches only happen to someone else, think again. Data breaches have happened to all types of businesses - from small ecommerce stores to large corporations such as Microsoft and it could happen to you as well. Read about GDPR Data Breach Responses here.
What Is a Data Protection Officer and Do You Need One?
When a business operator realizes they need to comply with the GDPR or any other data protection law, one of the first questions to pop up in their head is - Do I need a DPO? Learn all about DPOs here.
- Data Protection
How to implement an Online Data Protection Strategy
When a company operates online within the European Union, or when its website visitors come from the EU, the company must comply with the General Data Protection Regulation (GDPR). The GDPR was created to protect citizens' personal data and restrict abuses.
- Data Protection