[Legal] The cookie banner does not comply with the GDPR

[anhgelus]

Please confirm the following.

• I checked the existing issues for duplicate problems
• I have tried resolving the issue using the support portal

What browsers are you seeing the problem on?

Firefox

Describe the bug

The cookie banner does not comply with GDPR.

The cookie banner must offer an option to decline non-essential cookies. Following the decision of the CNIL (French DPA):

the CNIL issued orders to comply several website publishers to modify their cookie banners because:

• the possibility of rejecting the use of cookies is not as easy as accepting them;
• they encourage data subjects to consent to the use of cookies through ambiguous or misleading designs.

Specifically, the non-compliant practices observed include the following:

• The reject option is presented in the form of a clickable link whose choice of color, font size, and font style disproportionately emphasizes the acceptance option over the reject option;
• the location of the reject option is so embedded in the information that it is not readily apparent;
• the reject option is placed next to other paragraphs without sufficient spacing to visually distinguish it from all other information;
• the accept option is presented multiple times in the banner, while the reject option is presented only once and in non-explicit terms ("I decline non-essential purposes").

This decision follows the conviction of YouTube in 2021 by the CNIL for the same reason. You can read the full decision here (unfortunately, it is in French). The CNIL fined them €90 million.

La formation restreinte de la CNIL, après en avoir délibéré, décide de :

• prononcer à l’encontre de la société [X] une amende administrative d’un montant de 90 000 000 euros (quatre-vingt-dix millions d’euros) pour manquement à l’article 82 de la loi Informatique et Libertés

Translated in English by myself:

After deliberation, the restricted panel of the CNIL decides to:

• impose an administrative fine of €90,000,000 (ninety million euros) on company [X] for breaching Article 82 of the Informatique et Libertés law[, the french Data Protection Act implementing the GDPR]

Screenshot of the current banner:

Steps to reproduce

1. Check the cookie banner

Expected behavior

The cookie banner must have a green button next to the agree one to decline non-essential cookies, to comply with CNIL guidelines.

Additional context

No response

[anhgelus]

(btw, I really like Modrinth)

[Hallskii]

Hi there,

"The law does not impose any particular way of presenting choices on the cookie banner"

The design is not misleading and you can decline non-essential cookies by going into more options

Thanks for your concern, closing

[anhgelus]

As stated by the CNIL which is the French Data Protection Agency with legal authority, the current cookie does not comply with the GDPR, because it has these issues:

• The reject option is presented in the form of a clickable link whose choice of color, font size, and font style disproportionately emphasizes the acceptance option over the reject option;
• the location of the reject option is so embedded in the information that it is not readily apparent;
• the reject option is placed next to other paragraphs without sufficient spacing to visually distinguish it from all other information;

The fact that you have to go into more options is clearly a misleading design following this legal decision in the European Union, and it costs nothing to comply wit the law.