The art (and requirements) of symmetry in cookie banners

Is your cookie banner breaking the law—just because it’s easier to say ‘yes’ than ‘no’?

Symmetry is no longer just a concept of aesthetics. Now, symmetry is a concept central to compliance when applied to websites and consent experiences in general.  

Honda recently found this out the hard way, in an enforcement action related to the California Consumer Privacy Act (CCPA), to the tune of a $ US 632,500 settlement fee, over a single selection button. 

Are your cookie banners out-of-balance?

Most web visitors and all privacy and marketing professionals are familiar with the cookie banner, a cookie choice modal that appears on public websites.  

These banners often include some simple verbiage about cookie uses and choices on that website, along with an opportunity for the website visitor to make simple cookie choices.  

Especially in jurisdictions that allow for opt out consent, like in the United States that generated the Honda case, a common cookie banner configuration provides users two options. Select Accept All – a choice which allows all functional and advertising cookies, along with essential cookies – or click on a carefully worded Choose or Opt Out button or link, which takes users to a more detailed modal through which users can choose whether to allow different types of non-essential cookies.  

This means that users can agree to all cookies through a single click, but users who wish to opt out of one or more cookie types must click, and click, and even click again.  

The Business-to-consumer (B2C) marketing world is expert at measuring what it calls “drop off,” or “the number of people who start an action but fail to complete it.” There is quite a lot of institutional knowledge about the impacts of forcing a web visitor to complete multiple actions on a website and the percentage of drop off each click or action causes.  

In a way, many companies that have created a non-symmetrical cookie consent experience have flipped the concept of drop off on its head – creating an experience that encourages drop off during the non-preferred path of opting out of cookies by inserting actions the user must take to accomplish a purpose, knowing that a percentage of users will just give up at each click.  

The CCPA’s case against Honda (And other legal requirements)

Though in the US there is no requirement for websites to provide an Accept All button, the recent Honda case demonstrates that companies that do provide this type of experience must do so in a symmetrical way.  

In other words, CCPA’s “symmetry of choice” requirement means that companies must pair an Accept All choice with a symmetrical Reject All choice. Making the user do more work to express a privacy choice that the company does not prefer is not an acceptable design.  

Though Honda’s lesson about symmetry comes from the US, other jurisdictions enforce similar requirements, expressed in terms of the less specific but directionally similar concept of “dark pattern.” 

Generally speaking, “dark patterns” are “deceptive techniques used by online platforms to manipulate user behavior.” A violation of symmetry is one type of dark pattern, and regulators around the world are focusing on creating and enforcing laws that help create a world free of dark patterns.  

For example, just in the European Union (EU), the Digital Services Act, Digital Markets Act, AI Act, GDPR, and Unfair Commercial Practices Directive all either address dark patterns directly or indirectly impose consent requirements that dark patterned experiences would undermine.  

The United Kingdom’s Information Commissioner’s Office (ICO) and Competition and Markets Authority (CMA) partnered to create a joint paper about the evils of dark patterns. More than one government agency in Canada, including the Office of the Privacy Commissioner (OPC) has issued a report about dark patterns and their concerns.  

Getting your cookie banner right (and compliant)

Whether a company falls under US authority and concerns about symmetry or operates in almost any other country with a privacy law and regulatory interest about dark patterns, there are important reminders from the Honda case to consider when standing up or reviewing its cookie consent experiences.  

Number of clicks 

The Honda case directly shows how at least one regulator views an experience that requires fewer clicks or actions on the part of a website visitor to select a preferred option than for a non-preferred option. The simplest way to safeguard against this design flaw is to count the clicks to each option. If the user must click or act twice to say no but once to say yes, there may be a problem.  

Colors, placement, and size 

People are attracted to or attach a more positive feeling to some colors than for others. People within a culture typically read in a common pattern (left to right, right to left, etc.) and look for options in familiar places, and so they may more easily find a choice placed in one spot on a web page than in another spot.  

Also, larger text and graphic sizes pull the eye more than smaller sizes. Symmetry and the avoidance of dark pattern violations would require that all choice mechanisms – positive and negative – contain the same text and graphic sizes.

The combination of an enormous Yes button (with flashing lights and smiley faces around it) and a tiny No link at the bottom of the page simply will not fly. That said, even smaller, more nuanced differences between positive and negative choices can impact user choice, meaning that a company must also consider minor differences in text size and placement.  

Moreover, if a culture sees red as a negative warning and green as a positive, inviting color, a regulator could view using a green Yes button and a red No button as a dark pattern design.  

Final thoughts

Regardless of jurisdiction, any company with a cookie consent experience will be wise to review that experience for symmetry and other types of dark pattern design flaws.

Considering whether the number of clicks, color, placement, and size of preferred and non-preferred option paths and mechanisms are the same (or, at least similar) can help a company avoid unwanted regulatory action. Even well-intentioned companies can run afoul of dark pattern and symmetry criticisms without this type of careful review.