IMY Criticizes Companies for Misleading Cookie Banners and Consent Management

Background

On December 16, 2024, the Swedish Authority for Privacy Protection (IMY) made a formal decision criticizing three companies - Warner Music AB, Aktiebolaget Trav och Galopp (ATG), and Aller Media AB - for violations related to their cookie banners and consent management practices. This ruling, published on April 30, 2025, emphasizes the growing scrutiny of not just how consent is obtained, but also how data is processed after consent is given and how easily that consent can be withdrawn.

Key Issues Identified

IMY's investigation revealed several critical issues with how these companies were managing user consent:

1. Insufficient Withdrawal Mechanisms: Warner Music failed to provide clear information about how users could withdraw consent after it was given.

2. Misleading Design: ATG's cookie banner employed a misleading design that made it difficult for visitors to make informed consent decisions.

3. Improper Legal Basis: Aller Media was found to be processing personal data without proper legal grounds, even after obtaining some form of consent.

4. Unequal Ease of Action: A common theme across all three cases was that giving consent was much easier than withdrawing it, creating an imbalance that undermines the principle of freely given consent.

As Michaela Prieto Ceric from IMY stated: "A cookie banner should give clear and transparent information to the visitor and it should be as easy to give consent as to later withdraw it."

The Post-Consent Challenge

These cases highlight a critical aspect of GDPR compliance that many organizations overlook: what happens to user data after consent is given. Key considerations include:

1. Data Flow Control: Organizations must maintain control over where and how data flows once consent is obtained.

2. Consent Withdrawal Implementation: Technical mechanisms must exist to immediately and completely honor consent withdrawal requests.

3. Third-Party Data Sharing: Companies must ensure that third parties also respect consent withdrawal in real-time.

4. Complete Data Lifecycle Management: GDPR compliance requires thinking beyond the initial consent to the entire lifecycle of data.

Server-Side Tracking as a Solution

Server-side tracking emerges as a critical technology for addressing these challenges, providing organizations with greater control over data throughout its lifecycle:

1. Centralized Consent Management: Server-side implementations allow for a single source of truth for consent status, making it easier to honor consent changes instantly across all systems.

2. Granular Data Control: With server-side tracking, organizations can filter what data is sent to which third parties in real-time, ensuring that when consent is withdrawn, no further data is shared.

3. Consent State Enforcement: Server-side solutions can enforce consent states at the point of data collection, preventing data from being processed before consent verification.

4. Complete Audit Trail: Server-side tracking enables comprehensive logging of consent status changes and corresponding data processing decisions, creating an auditable trail of compliance.

5. Real-time Consent Propagation: When a user withdraws consent, server-side systems can immediately propagate this change to all connected systems, stopping data flow instantly.

Implementation Guidelines

To comply with IMY's expectations regarding consent management, organizations should consider these server-side implementation practices:

1. Real-time Consent Verification:

   • Implement server-side consent checks before any data processing
   • Create a consent service that all data processing systems must query
   • Ensure no data is processed without active verification of current consent status

2. Withdrawal Mechanisms:

   • Provide equally prominent user interfaces for both giving and withdrawing consent
   • Implement mechanisms to detect and block data flow immediately upon consent withdrawal
   • Ensure that withdrawal mechanisms are accessible from all points where data collection occurs

3. Unified Consent Management:

   • Centralize consent management at the server level
   • Implement a consent registry that tracks the status of all user consent
   • Ensure all third-party vendors receive consent status updates in real-time

Recommendations for Organizations

1. Audit Current Practices:

   • Review cookie banner design and functionality
   • Evaluate the ease of consent withdrawal compared to giving consent
   • Document current data flows after consent is obtained

2. Implement Server-Side Tracking:

   • Move tracking logic from client-side to server-side
   • Create a consent verification layer that controls all data flows
   • Implement real-time consent status checking before any data processing

3. Regular Compliance Reviews:

   • Conduct periodic assessments of consent management practices
   • Test consent withdrawal functionality from a user perspective
   • Ensure that withdrawn consent actually stops all associated data processing

Conclusion

IMY's criticism of these three companies serves as an important reminder that GDPR compliance extends beyond the initial collection of consent. Organizations must maintain control over data throughout its entire lifecycle, especially when consent is withdrawn. Server-side tracking provides the technical foundation for this level of control, enabling organizations to honor user choices in real-time and maintain compliance with evolving regulatory expectations.

As privacy regulations continue to evolve and enforcement increases, organizations that implement server-side tracking will be better positioned to adapt to changing requirements while building trust with their users through transparent and responsive data handling practices.