When the Cookie Crumbles: Four Reasons Why Cookie Consent Does Not Work
It is impossible to browse the Internet without bumping into a popup window requesting consent to enable cookies on the web page. Website cookies are text files saved to devices that contain information about a person’s Internet activity and preferences. Since website cookies track what a user does on the site, the data about the user’s behavior will be present and deployed when the person visits the site again. Some examples of data that cookies save are usernames, passwords, language preferences, and location. There are also third-party cookies that advertisers use to determine a user’s preferences, which in turn, generate ads that will follow users even as they view other websites. Adding popup windows to inform users about cookies promote transparency about data collection and achieve compliance with relevant privacy laws. While this is good in theory, these popup windows have not substantially increased privacy awareness or achieved compliance.
Website Cookies and Privacy Laws
Several countries have passed laws to regulate data privacy more strictly. However, the European Union (EU) leads in data privacy regulation. It is in response to the EU’s General Data Protection Regulation (GDPR) and ePrivacy Directive that websites have added popup windows to their websites which discloser the page’s cookie usage and requesting that users to consent to cookie tracking before the user views the content. The GDPR requires that all businesses that offer goods and services to EU citizens implement measures to protect consumer personal data and privacy. Protections include heightened data transparency, data access, and allowing individuals to opt out of data collection. The GDPR does not discuss cookies in detail, but merely states that cookies “may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” Under this description, it places cookies under the GDPR’s purview and generally necessitates consent to collect, process, or sell any data containing personal identifiers.
The ePrivacy Directive regulates cookies more broadly and stresses the importance of confidentiality and transparency when monitoring online activity. Specifically, the EPD states:
Third-parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible.
A more comprehensive ePrivacy Regulation is also in the works.
Four Major Issues with Cookie Popups
Some cookie banners are not user-friendly and do not provide enough information to fully educate people about what data will be collected and how the website intends to use it. Omission of vital information, using complicated language, or creating barriers to denying consent makes it difficult for users to even understand what they are consenting to when they click that “accept cookies” button.
All of this illustrates that cookie banners are not doing much to help users take control of their personal data on the Internet. Many banners are ignored, difficult to understand, or viewed as spam. Additionally, some are deceptive, which is an even bigger problem and goes against the principle of data transparency that laws like the GDPR promote. However, until someone figures out a better way to alert users about cookies or privacy measures that a website takes, Internet users will continue to be bombarded with these popups.
As noted, a common reaction to the global increase in regulations concerning data privacy protections has been adding popup windows disclosing cookie usage and asking for user consent. However, this does not significantly improve data privacy, which is the focus of laws like the GDPR. Instead, the following issues render these cookie popups ineffectual.
Users ignore cookie banners and simply click “accept” without really knowing what they are agreeing to and what information the cookies save. Consequently, the consent does nothing to help improve awareness or education concerning data privacy. While this partly falls on the user, organizations assume it will happen and do not attempt to enhance their efforts. A possible solution is to place a cookie disclaimer conspicuously on the website so that even after a user accepts a banner, there will be a reminder about data tracking. On-going reminders could improve the chances that the user actually reads the disclosure. Providing reference to a website’s superior privacy practices is also another option, however, determining what qualifies as acceptable privacy safeguards remains an issue.
Sometimes popups can be deceptive and will violate the user’s choices. A 2019 study by Célestin Matte, Nataliia Bielova, and Cristiana Santos examined the effects of cookie banners and found violations on 54% of the websites the researchers analyzed. Some of the violations included findings that some websites did not offer a mechanism for users to refuse consent or still collected information even after a user refused consent. The study’s revelations demonstrate that user’s data privacy rights are not consistently protected.
Some websites will ban access if a user does not consent cookies, which surely is not GDPR-compliant, as users are supposed to be able to opt out of data collection.
All of this illustrates that cookie banners are not doing much to help users take control of their personal data on the Internet. Many banners are ignored, difficult to understand, or viewed as spam. Additionally, some are deceptive, which is an even bigger problem and goes against the principle of data transparency that laws like the GDPR promote. However, until someone figures out a better way to alert users about cookies or privacy measures that a website takes, Internet users will continue to be bombarded with these popups. If you found this blog informative, you may enjoy reading TikTok Raises Data Security Concerns in the US or the Epiq Angle Blog.