For regular Internet users, cookie banners and alerts are a common feature of the web surfing experience. They can be annoying and disruptive and it’s easy to blame the law because cookie transparency is a legal requirement. In truth, though, many banners or notifications are implemented to make it easier to ‘Agree All’ than ‘Decline All’ because that’s what the website wants you to do. Few of us have the time or inclination to review details of cookies and tracking so we just agree.
Of course, the primary purpose is to demonstrate that you give your consent (freely given, specific and informed indication…) for cookies to be dropped into your browser. This is fine in principle but what ‘gets my goat’ is that so few websites offer you the opportunity to control the depth to which you are prepared to share your data. As we know, some websites are shameless in their attempt to monetise website user behaviour data. We accept that sometimes we must give up some of our privacy to benefit from good quality online information at no cost.
Cookie consent 2021 update
It’s been two years since we delved into the complex world of cookie compliance. Since then, there have been some big developments that are altering the landscape. Here’s a brief update on what you need to know.
The ePrivacy Regulation (“ePR”) finally leaps forward
In February of this year, the European Union (“EU”) Council agreed a finalised text of the ePR, which has now entered trialogue negotiations (aka: meetings between the European Commission, European Parliament, and the EU Council to finalise the law).
In terms of cookie consent, the ePR – for the most part – is not particularly ground-breaking. It reinforces many of the principles of the ePrivacy Directive, which it will supersede once introduced. For example, it states that end-user cookie consent is necessary prior to processing any user data, which is nothing new.
What is new, however, is the EU’s attempt to address so-called ‘cookie consent fatigue’. This is something we have all likely experienced at one point or another. As we perform online tasks, such as checking the news, researching products, or making reservations, consent banners pop up at every turn. The barrage of banners can test our patience, leading us to hastily click ‘Accept’, without really understanding what we are consenting to, or even cause us to abandon our tasks out of frustration.
To address this, the ePR proposes that an end-user can set consent for chosen providers by whitelisting them in their browser settings. However, it remains yet to be seen how, and if, the new law will approach ‘dark patterns’, by which we mean cookie consent interfaces that are deceptively designed to nudge users towards clicking ‘Accept’, rather than providing a fair and equal choice.
NOYB takes a stand…
Although the ePR does not address dark patterns, the European Centre for Digital Rights (“NOYB”), founded by privacy activist Max Schrems, is taking matters into its own hands. At the end of May 2021, the non-profit organisation announced it had sent draft complaints to over 500 companies, operating in Europe, for unlawful use of cookie banners.
NOYB explained that it had created a software, which automatically analyses and detects non-compliant cookie banners – for example, banners that do not give a clear yes/no option or make it difficult for the user to reject cookies.
“Annoying cookie banners appear at every corner of the web, often making it extremely complicated to click anything but the “accept” button. Companies use so-called “dark patterns” to get more than 90% of users to “agree” when industry statistics show that only 3% of users actually want to agree.” – Max Schrems, founder of NOYB
NOYB contends that most banners currently do not comply with the General Data Protection Regulation (“GDPR”). It expects that its automated software could generate more than 10,000 complaints against different websites and will be looking to send these out within the next year, starting with the 560 companies it has recently notified.
To ensure the accuracy of its software, NOYB’s legal team reviews each auto-generated complaint. Once the draft complaint is sent to a company, it is given one month to update its cookie consent practices. If the organisation does not do so in this time, then NOYB will elevate the complaint to the relevant national data protection authority, which could lead to regulatory action.
As well as this detection system, NOYB also recently announced a new proposal with the Sustainable Computing Lab to create a new automatic browser signal that would render cookies obsolete. The new mechanism is called Advanced Data Protection Control (“ADPC”). It aims to reduce end-user fatigue when it comes to the barrage of cookie banners, by allowing users to set their overarching privacy preferences in their browser. For example, users would be able to white- and blacklist cookies for certain types of sites and enable/disable cookie requests for websites they visit regularly.
By centralising the cookie process for end-users, NYOB and CSL hope to empower citizens to protect their online privacy, while also encouraging publishers and website providers to comply with GDPR. Currently, the ADPC is in a proof-of-concept phase, meaning it is not ready for wide-scale rollout. NYOB notes that the enforcement of this mechanism, or one similar to it, is up to European legislatures. As the ePrivacy regulation enters final negotiations, it will be interesting to see if ADPC will be incorporated into the final legislation.
…and so does France
Another body ahead of the curve in tackling the cookie monster is the French Data Protection Authority (“CNIL”). For both 2020 and 2021, CNIL announced that cookie compliance was one of its strategic priorities, and its enforcement actions show just how seriously the body is taking the matter.
The fine was issued because Google.fr was found to automatically deposit cookies onto users’ devices when they visited the website – without being given an opportunity to refuse. Google.fr’s consent policy was difficult to find and involved several stages to reach a refuse option. Even in instances where a user declined cookies, some cookies remained stored on the user’s device for marketing purposes. This violates multiple articles of the GDPR.
Similarly, for Amazon, the CNIL found that, when a user clicked through to Amazon through ads on third-party websites, cookies were automatically enabled on the user’s device, without consent. Again, this violates numerous areas of GDPR. In both cases, Google and Amazon should have created, and adhered to, more explicit and transparent cookie consent practices. These should have given users adequate control and more options over how their personal data was processed.
Aside from these fines, the CNIL has also created guidance for organisations, to help them understand the legal requirements for cookies. The guidance was published in October 2020, superseding the CNIL’s previous cookie guidance from 2013. Its recommendations include:
- Browsing a website is no longer enough to qualify as consent. Cookies can only be deposited after consent is freely given by the user
- Users should have the option to “Reject All” cookies as soon as they visit a website. It should be as simple to reject cookies as it is to accept them
- Users should be provided with an option to update their preferences or withdraw their consent throughout their interaction with a website or company
Following the publishing of the guidelines, the CNIL gave organisations a six-month grace period to ensure compliance. The new guidelines then came into effect in April of this year. Already, the CNIL has been hot on the case of non-compliant organisations. In May, the body filed 20 formal notices against organisations that it found had improper policies for rejecting cookies.
Google to phase out cookies
It’s clear that citizens are becoming more privacy-aware and have the desire to secure their personal data. Media headlines, highly targeted advertisements, and fines by nation-states like France all have a role to play in this. In response to these privacy concerns, Google has announced plans to phase out third-party cookies by 2023.
While, on a first look, this might make privacy advocates rejoice and advertisers quake in their boots, the picture is complex. Third-party cookies may be on the way out, but they are being replaced by a new tool: the Privacy Sandbox – one of the main technologies of which is the Federation of Learning Cohorts (FLoC).
In layman’s terms, the Privacy Sandbox is a group of tools that will let ad companies target demographical groups, or cohorts, based on factors like age or shared interests in Chrome. However, the people in these groups, and their browsing histories, will remain anonymous.
For advertisers, this presents a huge market shift. They are used to targeting specific users through third-party cookies. With FLoC, the cohort adds a barrier of anonymity, which should improve user privacy.
But is Google’s plan to delete third-party cookies really an act of altruism? Critics are doubtful. Many see it as a move to monopolise the advertising space, which could put smaller publishers out of business.
In response to these concerns, the U.K.’s Competition and Markets Authority launched an investigation into Google’s plans under Chapter II of the U.K.’s Competition Act 1998 into “suspected breaches of competition law by Google”. The European Commission is also investigating Google’s FLoC plan over its potential to be anti-competitive.
Following the CMA’s investigation, Google offered the CMA the opportunity to play a role in the development and design of the privacy sandbox, to ensure it is ethical and fair from a competition standpoint. In a statement about this offer, the CMA said it is currently reviewing Google’s proposals and will make a final decision later this Summer.
Original blog post March 25th, 2019
Early attempts at self-regulation
Back in 2002, alert to the possibility of privacy concerns, the World Wide Web Consortia created a working group to develop a common set of protocols to provide users with a sense of privacy when surfing the Internet. In 2007 the specification was launched and was known as “P3P” (Privacy Preferences Platform). It overcame the wide range of differences among websites’ privacy policies, thus allowing for universal privacy settings from which users could choose from.
Sadly, due to a lack of industry appetite, only a small fraction of websites complied with P3P. At the time there was no legal compulsion for websites to enforce their privacy policies. It was a well-intentioned failure—a toothless tiger. The project was quietly dropped in August 2018.
The EU Directive 2002/58/EC (as amended by 2009/136/EC) is more commonly known as the ePrivacy Directive and suggests that internet browser settings may be one means of obtaining consent if they can be used in a way that allows the subscriber to indicate their agreement to cookies being set. Most websites fail to be transparent and inform to what degree they are tracking our online behaviours and, despite the ePrivacy Directive, fail to adequately secure prior consent.
The new ePrivacy Regulations (ePR) have yet to be adopted, despite a strongly worded statement from the EDPB on 13th March 2019. When the ePR is enacted it will inevitably be the case that consent must involve some form of communication where the individual knowingly indicates their acceptance. This may involve clicking an icon, sending an email or subscribing to a service. The crucial consideration is that the individual must fully understand that by the action in question they will be giving consent.
What good cookie consent looks like
In some cases, though these are often in the minority, websites are helpful and give you clear guidance and means of control over what you are prepared to surrender privacy to. Here is one from Channel 4. The BBC also has a nice example of tracking settings. When you first interact with the website a privacy header notification appears, as shown below.
If you are curious to investigate further and select ‘No, take me to settings’ up pop further details; it’s clear what the user is giving consent to. The BBC default setting is to the least invasive level possible whilst making the website still able to function properly.
More common is the ‘take it or leave it’ cookie wall approach, the options being to accept the data privacy conditions and press ‘X’ before you can enter the site. The cookie notice may be prominent; however, your consent is ‘implied’ with a click of the ‘continue’ button. To most website users, this is just an irritation.
It is possible that the public is either ambivalent or just doesn’t understand what happens to their data. Likewise, the data protection authorities have seemed disinterested in pressuring the big corporates to come up with a solution. Meanwhile, the ad tech industries remain unchecked in their appetite for big data. At what tipping point does do consumers or data protection authorities say enough is enough?
Perhaps we reached that tipping point on 21st January 2019 when the French data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL) indicated their intention to fine Google LLC €50m for lack of transparency, inadequate information and lack of valid consent regarding ads personalisation. In essence, account settings with which individuals control among other aspects, data collected for the personalization purposes or for the geo-tracking service were deemed so disparate and excessively disseminated across several websites that CNIL felt valid consent had not been obtained for two reasons, 1) users were not sufficiently informed and 2) collected consent was neither “specific” nor “unambiguous”.
In another recent case, on 9th March 2019, on the narrower subject of cookie walls the Dutch data protection authority has taken a firm view on their use, announcing that cookie walls are not compliant with GDPR. The authority has sent a letter to the organisations with which it has received the most complaints and announced that it will intensify its monitoring to see whether the standard is being applied correctly.
These are by far the most significant regulatory actions taken by data protection regulators thus far under GDPR and other cases are sure to follow. It is expected that Google will appeal their case though this may take years to come to a resolution.
So, in the meantime what can be done to manage cookie privacy consents? Sure, not all cookies are bad; they are not malware and not even code, so they cannot be executed. However, cookies (and pixels) CAN be used for malicious purposes. They store information about browsing preferences and history and can be used to act as a form of spyware.
If you want to see just how pervasive cookies and pixels can be and find out which are lodging in your browser, just go to this website for further directions. Once you’ve found your cookie library you’ll be presented with a long list of first and third party cookies that have made a home on your computer. You may be surprised to see several hundred, and many of the advertising tracking types!
A knee-jerk reaction would be to immediately wipe the cookie library and tighten your browser settings so tight that no cookies could be downloaded. But before you make this hasty decision, it’s worth pointing out that there are several ‘strictly necessary’ and ‘functional’ cookies that are necessary in order for websites to work properly. For example, ensuring that your shopping cart updates as you navigate the website or that you can trackback to an earlier page during a browser session.
Is it possible to optimise your web browser to give you that delicate balance of control over privacy? Given enough time and patience, yes of course this is possible, however, bear in mind that knowing which cookies to block or allow requires a detailed understanding of each cookie. And not all cookie developers are so willing to disclose the purpose of each either.