Having only "accept all" and say "configure", or even a highlighted "accept all" and a very small or even just unhighlighted "deny all" is against GDPR. IIRC:
- choices presented must have the same visual weight (e.g for buttons)
- there must be no default choice preselected (e.g for radio/toggles)
- the fallback when no choice is made (e.g a dismissal or a "failure to display" a.k.a bug or nag blocker) must be equivalent to deny all
Instead we get this mess because enforcement requires litigation from users and these companies make just enough to claim "oh we thought it was Ok plus we go through a off the shelf pluggable third party so not on us" plausible deniability.
> If the data subject's consent is to be
given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive
to the use of the service for which it is provided.
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is
unable to refuse or withdraw consent without detriment.
> Example 6a: A website provider puts into place a script that will block content from being visible except
for a request to accept cookies and the information about which cookies are being set and for what
purposes data will be processed. There is no possibility to access the content without clicking on the
“Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is
not freely given.
> 41. This does not constitute valid consent, as the provision of the service relies on the data subject clicking
the “Accept cookies” button. It is not presented with a genuine choice.
> The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice.
> In the digital context, many services need personal data to function, hence, data subjects receive multiple consent requests that need answers through clicks and swipes every day. This may result in a certain degree of click fatigue: when encountered too many times, the actual warning effect of consent mechanisms is diminishing.
> This results in a situation where consent questions are no longer read. This is a particular risk to data subjects, as, typically, consent is asked for actions that are in principle unlawful without their consent. The GDPR places upon controllers the obligation to develop ways to tackle this issue
- choices presented must have the same visual weight (e.g for buttons)
- there must be no default choice preselected (e.g for radio/toggles)
- the fallback when no choice is made (e.g a dismissal or a "failure to display" a.k.a bug or nag blocker) must be equivalent to deny all
Instead we get this mess because enforcement requires litigation from users and these companies make just enough to claim "oh we thought it was Ok plus we go through a off the shelf pluggable third party so not on us" plausible deniability.
from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
> If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
from https://www.edpb.europa.eu/sites/default/files/files/file1/e...:
> Example 6a: A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given.
> 41. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.
> The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice.
> In the digital context, many services need personal data to function, hence, data subjects receive multiple consent requests that need answers through clicks and swipes every day. This may result in a certain degree of click fatigue: when encountered too many times, the actual warning effect of consent mechanisms is diminishing.
> This results in a situation where consent questions are no longer read. This is a particular risk to data subjects, as, typically, consent is asked for actions that are in principle unlawful without their consent. The GDPR places upon controllers the obligation to develop ways to tackle this issue