As always, downvoting me doesn't change the legality of those banners. The law clearly states the "deny all" button must be as prominent as the accept button, and the banners employ all sort of dark patterns.
I don't think 'the law' does clearly state that, although I'd be happy to be proved wrong, and honestly it's a point of pedantry, the enforcement indicates that you're right about the actual expectation, and definitely you're right about the actual usage.
> 8. When authorities were asked whether they would consider that a banner which does not provide for accept and refuse/reject/not consent options on any layer with a consent button is an infringement of the ePrivacy Directive, a vast majority of authorities considered that the absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent and thus constitutes an infringement. Few authorities considered that they cannot retain an infringement in this case as article 5(3) of the ePrivacy Directive does not explicitly mentioned a “reject option” to the deposit of cookies.
Also the law doesn't require anything to be done by the user to reject cookies, to begin with, as that is the default state. I often just delete the cookie dialog from the DOM.
I agree with all the points here, but the task force report is not law, and this is not “clearly stated” (this specific phrase is fine, but the rest of the document is full of disclaimers).
It’s a useful guide on how the law is likely to be interpreted, and likely influences the interpretation itself, but my inner pedant is not satisfied.
Yeah, it was the closest I could find, but I don't really care that much to search the actual laws. I would expect it to be true, it's basically what you hear in the news and all the advise says that you should do that, when you create a GDPR-compliant website.