IMY criticises companies’ cookie banners

View as Markdown
2 mins read • Legal Writer • GDPR • 30 April 2025
  1. Cookie banner compliance: legal context
  2. Operational implications for cookie banner compliance
  3. Practical takeaways

The Data Protection Agency has reprimanded three companies for deficiencies in their cookie banners. The cases involve Warner Music AB, ATG and Aller Media AB, and concern inadequate information, misleading design and an incorrect legal basis for processing personal data.

In ATG’s case, the issue was the use of dark patterns—interfaces that steer users towards consent through unclear options or hard-to-find rejection mechanisms. This contravenes the GDPR requirements for consent, including that consent must be freely given and informed.

Aller Media was criticised for invoking “legitimate interests” as a GDPR legal basis for processing without demonstrating a balancing test. Warner Music received a reprimand for failing to explain how consent can be withdrawn—withdrawal must be as easy as giving consent.

Cookie banner compliance: legal context

The combined effect of the GDPR and the Swedish Electronic Communications Act (LEK) is that:

  • Cookies require prior consent before they are stored (LEK).
  • Any subsequent processing must have a valid GDPR legal basis for processing and meet the GDPR requirements for consent.

Operational implications for cookie banner compliance

For controllers, the design of cookie banners is not a technical afterthought but a legal matter that can trigger supervision and sanctions. Effective cookie consent design must deliver valid consent under the GDPR: consent must be specific, informed and freely given consent (GDPR), and consent must be as easy to withdraw as to give. Controllers should ensure cookie consent compliance and avoid dark patterns.

Morling Consulting’s GDPR lawyers help organisations across Europe to design lawful, user-friendly cookie consent solutions—focused on cookie consent compliance and robust governance.

Practical takeaways

  • Provide clear, prominent options to refuse or accept—no nudging or asymmetric paths.
  • Explain purposes and vendors so that informed consent (GDPR) is meaningful and consent must be specific.
  • Offer simple, persistent controls to withdraw consent, matching the effort required to give it.

Need support to assess your cookie consent solution and strengthen governance? Our team can review designs against the GDPR requirements for consent and implement improvements aligned with cookie banner compliance.

Illustration of third-country risk under AMLR showing a simplified EU map, control icons, and a geographic trigger point linking the EU to third countries for enhanced customer due diligence (KYC).

10 March 2026

Third-country risks under AMLR: Articles 29–31 and their significance for customer due diligence
Read more
Illustration of an AMLR KYC process in four steps: ID verification, beneficial ownership check, business purpose assessment, and anomaly flag in registry screening.

3 March 2026

Customer due diligence under AMLR: identity, beneficial ownership and the purpose of the relationship
Read more
Illustration of a KYC block due to insufficient customer due diligence under AMLR, showing a customer profile, checklist, and stop symbol in a legal compliance setting.

24 February 2026

Inability to meet customer due diligence requirements under the AMLR
Read more