Since spring of 2018, the online experience for people living in the EU has been shaped by an annoying new feature: cookie consent pop-ups.
Suddenly, we were all being asked to weigh in on the information companies could collect from us each time we accessed a site, be it an online banking service or one of those recipe blogs where you have to read a short novella about someone’s dull, hungry husband before being granted access to the flour measurements.
A quick primer for those who need it: cookies are files your computer downloads when you enter a website. They contain information about you or your device that can be read by the server on the other end of the connection, and are used to trace your activity across the internet.
First party cookies are placed on the website by the website owner to, for instance, remember your username. Third party cookies are placed on the website by other companies to, say, deliver you personalised ads. There are many other types of tracking technologies, but I’ll refer to them all as cookies or trackers to keep it simple.
Cookie consent banners popped up on our screens thanks to the General Data Protection Regulation (GDPR), a framework that sets guidelines for how the personal data of people in the EU is allowed to be collected, processed and stored by companies. These regulations also currently apply in the UK. The GDPR deals with much more than just cookies – it’s a massive piece of legislation that’s been praised by privacy experts for its groundbreaking legal definitions, and for enshrining the rights and protections of individual data holders in law.
Under the GDPR, individuals have the right to be informed about the personal information that’s being collected about them, and the right to consent to it or not. Conversely, companies must be able to explain why they are collecting user or customer data and obtain consent beforehand, unless that data is strictly necessary for the site to function (for example, cookies that allow a shopping site to hold items in your wish list).
That’s what consent banners are for – they allow you to tell the website owner whether you agree or disagree with non-essential personal data collection. The GDPR says consent should be “freely given, specific, informed and unambiguous”, which means you should easily be able either to consent or to refuse to be tracked. Seems quite straightforward, but if you’ve ever tried to reject non-essential cookies, you’ll know it’s not as simple as just pushing a button.
I decided to put the system to the test. For three randomly selected working days, I recorded my screen during office hours and tried to reject all non-essential cookies for every single website I interacted with. Then, I watched it all back to see how easy it had been to opt out.
I measured this “ease” in several ways. First, using a stopwatch, I timed how long it took me to quickly read through a pop-up and reject non-essential cookies. I also counted how many times I clicked, and whether I was sure if I’d actually managed to opt out or if I had to give up at some point.
Over the course of the three days, I interacted with 76 websites – 32 on day one, 30 on day two and just 14 on day three, a bit of a slow one. Working as an editor for VICE, I accessed a lot of news sites, but I also had to research information about football, festivals, gardening – in short, a good mix of topics.
On the first day, I spent a whopping 14.38 minutes rejecting cookies. The quickest consent banner only took 2.6 seconds to get through, the longest took a little over five minutes before I reached a dead end and gave up. On day two, I spent 13 minutes doing this, and on day three, a little over nine minutes.
That might not seem like much in the grand scheme of things, but the user experience research firm Nielsen Norman Group estimates that people spend on average less than a minute on a website. That’s why some users might find the prospect of just a couple of seconds of clicking and reading through a pop-up enough of a burden to just select the “accept all” option and get it over with.
The most interesting result of my little experiment was not discovering how improbably long it took me to navigate consent pop-ups, but learning that I only managed to successfully opt out less than 50 percent of the time – 46 percent to be precise. Thirteen websites had a consent banner but gave me no option to opt out, or it was so complicated and time-consuming I simply had to give up.
In two cases, rejecting cookies meant I could no longer access the vast majority of the sites’ content. The websites Healthline and Medical News Today, both part of the same group, welcomed me to the “ad-free, tracking-free version” of their websites, where I could browse only ten articles instead of the whole platform. While it makes sense for a publisher to block content for users who do not want to view ads, the data you are not allowing the website to track is yours, and you have the right not to be tracked.
For 26 websites (34 percent of the total), I wasn’t totally sure whether I’d opted out or not. That happened mostly when the website had no cookie banner at all (13 sites) or when I simply didn’t notice it, despite actively paying attention while browsing (ten sites). A critic might say it’s my fault that I missed all those banners, but there’s a good reason why. Eight out of ten of those banners were displayed at the bottom of the interface. Seven of those were a single line of text that easily blended in with the site.
These types of designs are known as dark patterns, or “design patterns that trick you into doing a thing you wouldn’t otherwise have done”, according to user experience specialist Harry Brignull, who coined the term in 2010. Brignull told me via Zoom that there are many types of dark patterns, but most of them create “friction”, meaning they make some options easier than others.
“A lot of dark patterns take good design principles and invert them,” he said. “It's all bad design on purpose, it’s all the things [a designer would] normally avoid.”
In this case, the consent banners were so difficult to notice that I forgot to make a choice about non-essential cookies at all. In fact, data suggests most internet users simply ignore these portions of their screens and don’t interact with banners in any way. But according to a 2020 study, 32.5 percent of the websites surveyed registered users’ consent before they even made a choice on the matter – for instance, if they had scrolled around or refreshed a page, or even just opened the site. The paper also found that a measly 11.8 percent of websites were fully compliant with the GDPR.
“Here is one important point I want to make: it is not the GDPR that is responsible for these pop-ups,” said Midas Nouwens, assistant professor at Aarhus University in Denmark, and lead researcher on that 2020 study. “The GDPR has set rules for how you can get valid consent. It’s the advertising industry that interpreted that and designed consent pop-ups.”
The role that the advertising industry plays in online tracking is complex. Most companies are currently investing in personalised advertising – a model that relies on figuring out exactly who you are and what you like – because it’s more profitable. But there’s also another way to make money online: contextual advertising, which presents you with ads based on what you’re viewing at a particular moment.
In order to make personalised ads work, advertising services like Google AdSense need to gather information about you and your browsing habits across different websites. That’s why the vast majority of cookies are third party cookies placed on websites not by their owners, but by advertising companies. As a result, “a lot of website owners don’t know what type of data they’re collecting”, said Nouwens. “They are just sold a package of free customer insights or provided a free plugin in exchange for the data.”
After the introduction of the GDPR, website owners found themselves stuck – the new regulations required them to obtain consent from users, but many didn’t even know what trackers they had on their websites, let alone how to ask users to consent. That’s when the European branch of the Interactive Advertising Bureau (IAB Europe), an online advertising industry organisation, stepped in. In April of 2018, a month before the GDPR was implemented, IAB Europe published the Transparency and Consent Framework (TCF), a set of technical specifications to “help the digital advertising industry interpret, and comply with EU rules on data protection and privacy”.
This framework created a standardised way for consent to be registered through specific lines of code. It also introduced new actors called Consent Management Platforms (CMPs), including, for example, Quantcast, OneTrust and Cookiebot. CMPs are services that scan websites for cookies and compile customisable cookie banners that allow the website owner to be more or less compliant with the law. That’s why consent pop-ups often look the same across different sites.
But “CMPs are serving two markets”, Nouwens explained. In theory, their primary purpose is to obtain users’ freely given and informed consent, but their clients are website owners who have an interest in collecting as much data as possible and selling it to the online ad industry. “The interest of the CMPs is to say, ‘If you use our technology, 90 percent of users will say yes and you will not notice the impact of this law,’” Nouwens said. “That’s why they use dark patterns.”
IAB Europe is not a neutral party – it represents important players in the online ad industry, including Google and Facebook Atlas (the company’s personalised ads service). According to Corporate Europe, an NGO that monitors lobbying activity in the EU, IAB Europe has been actively campaigning against restrictions on tracking technology for years. Lobby Facts, another platform compiling data about lobbies in Brussels, documented 17 meetings between IAB Europe representatives and EU officials between 2014 and 2020. They also allege IAB Europe spent between €300,000 and €399,000 in lobbying costs in 2019 alone.
Another important part of the IAB framework has to do with two technical terms: “consent” and “legitimate interest”. “The GDPR sets six ways to legally process personal data,” said Nataliia Bielova, research scientist at the National Institute for Research in Digital Science and Technology (Inria) in France. “For example, one is with the consent of the user, one is for emergencies – like when a patient’s life needs to be saved at a hospital – and the sixth case is called ‘legitimate interest’.”
Legitimate interest is a principle that allows companies to process your data without your consent if they can legitimately claim they need to do it, that it will have minimal impact on your privacy and that you would reasonably expect that data to be processed anyway. This can include some direct marketing and personalisation in the way you see a website (language, currency, search results), but it should be used sparingly and weighted against your individual interest.
The problem is, the IAB framework allows advertisers to choose whether they want to process your information through the consent principle or through the legitimate interest principle, as explained by Cristiana Santos, assistant professor at the Utrecht University School of Law, who specialises in e-privacy and data protection. “While for consent you need to explicitly say, ‘Yes I agree,’ legitimate interest doesn't require that – the only thing a user can do is ‘reject’ or ‘object’,” Santos said. “It's super confusing for users because they don't understand the difference.”
Basically, the way this manifests in your online life is as follows: you might have a consent pop-up with a series of options set to “off”. But if you simply accept these settings as they are, you may never see a further layer or tab with many pre-selected options that companies claim as their legitimate interest.
In my experience, these are some of the trickiest banners to navigate. For instance, on the health website WebMD, the initial cookie consent banner takes you to a series of tabs detailing what information is being tracked about you, and asking you to toggle a button to the right if you consent to it. The first six of 14 tabs refer to either strictly necessary cookies or present you with options automatically set to off. But on the seventh tab, the one pertaining to personalised ads, you need to click “Object to legitimate interest” nine times for your data not to be tracked and transmitted to advertisers. In banners with other formats, you might click “reject all”, but that wouldn’t necessarily apply to objections to legitimate interest.
Santos and Bielova, who have collaborated on a number of multidisciplinary studies, recently found that, from a legal standpoint, banners are supposed to ask for consent for most purposes listed in the IAB framework, but often rely on legitimate interest instead. Overall, Bielova confirmed it is “extremely rare” for these banners to be fully compliant with the law. And yet, many websites use banners based on the IAB framework – IAB Europe lists 76 Consent Management Platforms, each creating banners for hundreds or even hundreds of thousands of websites.
“One of the main critiques of the GDPR is that there is this huge lack of enforcement, specifically around the cookie banners,” said Nouwens. Currently, people can report violations to their national Data Protection Authority (DPA), the organisations tasked with supervising the application of e-privacy laws and handling complaints. Sometimes, you can also resort to local consumer protection organisations, or NGOs like the European Center for Digital Rights.
The problem is that most people don’t understand when their e-privacy rights are being violated in the first place, and can’t be expected to flag every issue even if they know how to do it. Besides, data protection authorities can only tackle a case at a time, and their main tool is issuing fines. It’s a very slow process given the magnitude of the problem. To top it all off, a 2019 report by the European Data Protection Board found that the majority of data protection authorities were underfunded by 30 to 50 percent.
This is not the only way to do things. “I think that, as part of this type of regulation, we should include requirements that make it possible to monitor these technologies,” Nouwens said. If frameworks like the IAB’s have found a way to codify consent, it should also be possible to encode a mechanism that allows for systematic checks for compliance with the law.
Another important thing to note is that we might not need consent pop-ups at all. “Consent is the way we see it now because these advertising companies have decided it is that way,” Nouwens said. The European Parliament, the Council of the European Union and the European Commission are currently discussing a set of complementary measures to the GDPR called the ePrivacy Regulation. As part of these discussions, a proposal was made to consider the cookie preferences you set in your browser as legal consent. That way, users would have to express their preferences only once, and decide what they are and aren’t OK with.
Of course, the advertising industry isn’t happy about this idea. “It keeps getting lobbied out,” Nouwens said. Advertisers benefit from asking users to make decisions every single time – under our current system, they decide what consent pop-ups look like and how annoying and ineffective they seem.
“Ultimately, I don’t think having people make decisions on a daily basis is giving [users] more control,” Nouwens said. “We've just spent 45 minutes talking about how this stuff works, and even I don't know everything. So the idea that you can actually make an informed decision about what you want is misplaced.”
If you’re currently freaking out about just how much of your data is floating around the online advertising universe, there are a few things you can do. Firstly, the Blacklight tool developed by The Markup allows you to check what data a specific website is tracking about you. You can also opt for more secure browsers, including Tor or Brave. But if you want to stick to less secure options, Nouwens suggest you try a browser extension he developed called Consent-O-Matic (for Firefox and Chrome), which automatically “replies” to cookie consent pop-ups based on preferences you can set in advance.
The negotiations around the ePrivacy Regulation are still ongoing. While it might be a little unorthodox at the EU level of politics, here you can find and contact your Member of European Parliament, and here you can petition the EU to let them know what you think. Maybe we can get our cookie consent preferences lobbied back in.