Guess What? Many Cookie Banners Ignore Your Wishes, So Max Schrems Goes On The GDPR Attack Again

from the lack-of-respect dept

One of the most visible manifestations of the EU’s General Data Protection Regulation (GDPR) is the “cookie banner” that pops up when you visit many sites for the first time. These are designed to give visitors the opportunity to decide whether they want to be tracked, and if so by whom. Any business operating Internet sites in the EU should theoretically use them or something similar, or risk a GDPR fine of up to 4% of global turnover. Cookie banners may be tiresome, but at least they give users some measure of control over how much they are tracked online. But do they? Few of us have the skills or the time to check that our wishes are obeyed by every site. Fortunately, three researchers in France — Célestin Matte, Nataliia Bielova, Cristiana Santos — possess both, and have conducted the first rigorous study of this area. They’ve written a good summary of their full academic paper.

An initial scan of 22,949 Web sites from the EU domains, as well as .org and .com, showed 1,426 that had cookie banners based on the Interactive Advertising Bureau Europe Transparency and Consent Framework, the main industry standard for this area. Of those, the team of researchers took a close look at 560 Web sites from .uk, .fr, .it, .be, .ie and .com domains to detect possible GDPR violations. Shockingly, they found four types of violations in cookie banners, across 305 Web sites — 54% of the sample:

Consent stored before choice

The cookie banner stores a positive consent before the user has made their choice in the banner. Therefore, when advertisers request for consent, the cookie banner responds with the positive consent even though the user has not clicked on a banner and has not made their choice yet.

No way to opt out

The banner does not offer a way to refuse consent. The most common case is a banner simply informing the users about the site’s use of cookies

Pre-selected choices

The banner gives user a choice between one or more purposes or vendors, but some of the purposes or advertisers are pre-selected: pre-ticked boxes or sliders set to “accept”.

Non-respect of choice

The cookie banner stores a positive consent in the browser even though the user has explicitly refused consent.

That’s a pretty dismal state of affairs. The GDPR is designed to give control to those visiting Web sites in the EU, and yet over half of the latter studied in detail fail to respect users’ choices. One person who has shown himself unwilling to accept the GDPR being flouted in this way is the privacy campaigner Max Schrems. Over the years, he has launched — and won — multiple legal challenges involving privacy and the GDPR. Now his privacy organization is turning its attention to disrespectful cookie banners: identified countless violations of European and French cookie privacy laws as CDiscount, Allociné and Vanity Fair all turn a rejection of cookies by users into a “fake consent”. The privacy enforcement non-profit filed three formal [GDPR] complaints with the French Data Protection Authority (CNIL) today.

Up to 565 “fake consents” per user. Despite users going through the trouble of “rejecting” countless cookies on the French eCommerce page CDiscount, the movie guide and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent “fake consent” signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows now show.

Schrems points out that one company taking advantage of “fake consent” is Facebook, which is happy to place cookies after people have clearly objected to all tracking. That means the scale of the potential GDPR breach is considerable. It will be some time before CNIL hands down its decision, but based both on Schrems’ track record and on the facts of the case, it seems probable that he will prevail once more. Although the initial ruling will only apply to France, it is likely to be followed by data protection authorities in other EU countries. If any of the Web sites mentioned above challenge a result that goes against them, there may be a referral to the EU’s top court, whose decision will be definitive and apply across the whole region. That, in its turn, is likely to influence online privacy laws around the world, as the GDPR is already doing.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Guess What? Many Cookie Banners Ignore Your Wishes, So Max Schrems Goes On The GDPR Attack Again”

Subscribe: RSS Leave a comment

This comment has been flagged by the community. Click here to show it.

Anonymous Coward says:

The whole and original problem with computers comes down to the simple fact YOU DO NOT OWN the operating system on your computer, YOU RENT IT, thus YOU HAVE NO RIGHTS.

You thus have no right to determine what appears or what does not appear on your computer; the right to determine that is held by the owner of the operating system.

Until the operating system rental issue is resolved in favor of the owner of the physical hardware the hardware owner has NO LEGAL RIGHT to deny all sorts of trash from appearing on their computer.

That means that hardware owner can not go to court, sue the spammers, and receive a judgement in their favor and if the hardware owner does not like this then the hardware owner can write their own operating system which will be owned by the hardware owner.

If you do not like the above situation then you need to discuss this with the various courts and legislative bodies that have authority to correct the legal issues.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re: Re: Re:

If there were no advertising on TV, streaming or the web you would find a great many channels, sites and services shutting down for lack of revenue. Many of those that remain would become subscription services with no access at all unless you pay them directly. "Free" games would largely become a thing of the past as you would now have to pay up-front for all games or expect all games to have in-game sales. Is that the world you would like to live in?

Or maybe, just maybe, you could find ways to avoid having to see ads such as subscribing to services that offer an ad-free tier, only buy video-on-demand and games that are non-free, and otherwise always pay your own way.

Yeah, ads suck, but they’re saving you a lot of money in exchange for a bit of time and patience and they enable a whole lot of options to be available that otherwise could not.

Anonymous Coward says:

Re: Re: Re:2 Re:

The real problem is not adverts, but rather that marketing people believe that they ave the right to collect as much information as possible about people so as to target adds. Laws to limit the collection of data by companies to that needed for sales completion and delivery of actual services, (note adverts are excluded from services), would do a lot to eliminate cooking and tracking on the web.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

This isn’t about the operating system on the local computer. It’s about websites tracking people to spam them with intrusive advertising. I could board up Windows and find some 31337 h3X0r d00Dz who managed to hack into Linux headquarters to steal the source code for their enterprise O/S, but the issue would remain the same.

Anonymous Coward says:

Re: Re: Re:

hack into Linux headquarters to steal the source code for their enterprise O/S

what is this i don’t even… it’s not even wrong. (Despite the point of the post being correct.)

But here, i hacked into the very heart of Linux headquarters. This is the secret link. Or, you know, you can compile an entire distro from source or roll your own. Hell, you can even go with something other than a gnu/linux. There are some enterprise distros, but they aren’t going to be a significant difference (if any) from non-enterprise, for a single user desktop.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

if the hardware owner does not like this then the hardware owner can write their own operating system

Or use one of the several popular operating systems, or hundreds of more obscure ones, that people have already created and posted online for people to use (with rights!). But what’s that got to do with cookies?

This comment has been deemed insightful by the community.
Wyrm (profile) says:

Re: Re:

You’re wrong on so many points.

  • The OS doesn’t manage the cookies. The browser does. Though when using Windows, there is a chance you use the OS-provided browser, but you can decide on the browser independently from the OS. In some case, you can add plug-ins or set options to block cookies altogether.
  • Your data is being tracked, not that of the "owner" of the OS. The privacy laws don’t care whose OS it is, it’s the user private data that is in question. You can sue anyone who keeps your data, regardless of who owns the computer, the OS or the browser.

You’re welcome to try again once you’ve informed yourself on the subject.

James Burkhardt (profile) says:


The topic, based on the title, is cookie banners, and Sites that use cookie banners also have been using them here in the US in an abundance of caution. But it is unlikely they are better with US user’s consent. Therefore, while the article mainly discusses the implications of the research in regards to the GDPR, discussions about the applicability of the CFAA to the findings of the research is pertinent to the discussion of cookie banners ignoring user input.

To answer the question, I do not think that ignoring user prefrences from the cookie banner will lead to hacking under the CFAA. The cookie might be seen as fitting under ‘exceeding access’ claims, but showing sufficent damage to waarant a criminal complaint would be difficult. (remember, the CFAA does not have a private right of action, its a criminal statute.)

James Burkhardt (profile) says:

Re: Re: Re:2 IANAL

A site operator can inflate damages in ways a user can not. A site operator can contribute to political campaigns of a State AG. I specifically highlighted that the barrier was the threshold to get investigators looking at criminal action. A site operator of the sites seen abusing the CFAA is a powerful entity which can make things happen in ways a private individual could not.

Anonymous Coward says:

Re: Re:

I’m pretty sure they’re not deliberately harassing you in this manner. More likely the developers never thought to consider browsers with cookies disabled. Their code runs when a cookie is not set and sets a cookie; they’ve assumed the cookie will always be successfully set, which would prevent the code from running again. They probably only ever tested it in a few browsers with standard configurations, none of which included a browser that prevented cookies from being set.

One solution is to install an extension that lets you hide elements. You can write a CSS rule for that site to not display the popup. "Stylus" is one such extension.

David says:

It's not only that.

Try to opt out from cookies from Verizon, assuming they are being veracious with their opt-out screen(s).

They open up to a screen with about a dozen different services they provide. For every single service, you have about 6 screens of options to trigger, then let your options be "processed" by some sort of cookie alliance. The "processing" of the opt-outs is only every partially successful and takes about 2 minutes per screen. It does not process if you remove focus from the respective tab/window, so you cannot do stuff in parallel.

Which means that opting out from cookies for various user-tracking purposes from Verizon is a process that, if done correctly and diligently, takes over an hour. And you don’t really know whether this will change anything: a lot of the steps report only partial success and recommend trying again.

The total number of people on Earth who went through all of that successfully is probably a one-digit number, probably even if you express it in binary.

Everybody else is assumed to consent to tracking in various forms.

Anonymous Coward says:

Cookies aren't just for tracking

Cookies are used to store information, typically your session ID, so that you remain logged into a website. If you disallow cookies you can’t use the service as it needs to send your session cookie with each request you make to the server to identify you. If the cookie is missing it doesn’t know who you are and asks you to log in so it can store a cookie identifying you.

Sites that don’t require a login but still want to store cookies? Yeah, those are for tracking.

Anonymous Coward says:

it may be a pretty dismal state of affairs, as the article states but no one gives a fuck anymore about how the people are affected! if it is/was a company affected, there would be all hell let loose and the perpetrators would be shut down, scooped up and locked up for life! if anyone has the audacity to take 1p away from the coffers of any company or person, those responsible deserve to be flogged to death or never see the light of day again. if, however, a company does anything that is detrimental to a single ordinary person or the whole Planet, no one lifts a finger because those responsible go straight to the corrupt politicians and security service heads, throw them ‘some bones’ and just carry on down the same road! corruption in almost all countries is rife, especially in governments worldwide. the desire to stop people from having any rights at all is of paramount importance to politicians, security services heads, courts, the rich, the famous and the elite, as well as all their associated friends. that is why there is this storm of new laws that are so similar everywhere, that are/have been brought in that take our rights away, with no consideration or consultation because the best thing that has ever been invented on this Planet to date, The Internet, gave us the availability of information and the ability to access, read and pass on that information that allows us to know exactly what those mentioned above have been, are and are going to be up to that make them continue to be exceedingly rich and, most importantly, IN TOTAL CONTROL of us, while we are losing everything that we fought for, earned and should still be entitled to! and most of what we have had taken from us has been done in USA courts and then other countries have been threatened to do the same! what an asshole world is being produced where the few are so scared of losing control and riches that they are stopping it by taking everything from us! and we keep voting the same fuckers in who are doing it! talk about stupid!!

Anonymous Coward says:

Re: Re:

Except… the People is exactly what the relevant law is about, even if the EU and its members kind of fucked up parts of it. Which is why Max Schrems wins privacy cases invoking such laws.

I get the idea, but when you argue a point (or rant or pontificate or whatever this is) and do it poorly, you loose points for your position.

bhull242 (profile) says:

Re: Re:

Despite the fact that I consider myself to be a bit of a grammar Nazi, I don’t like to correct grammar, spelling, and syntax on internet fora too often. However, this mess is really hard to read.

First of all, the inconsistent capitalization is really annoying. Capitalize the first letter of the first word of sentences and quoted sentences, the first letter of most words in proper nouns (names of people, specific businesses, organizations, brand names, laws, regulations, parks, specific buildings, cities, counties, districts, states, provinces, countries, multinational groups, wars, important battles, continents, planets, stars, moons, or galaxies; titles of books, movies, periodicals, most websites, games, or software; months; days of the week; and a few others) and most or every letter of an initialism (such as U.S.A., NASA, or DMCA). For the most part, don’t capitalize anything else, like “planet” or “the internet”. Capitalizing in these places and only these places makes it easier to distinguish the beginnings and ends of sentences and find unique identifiers, greatly improving readability.

Second, when typing something as long as this, you should probably try to break it down into multiple paragraphs with a blank line or other spacing between them. Otherwise it just looks like a huge wall of text that’s hard to read.

There’re also some punctuation and other grammar errors, but just fixing those two problems would make it a lot easier to read. I’d also suggest using markdown for emphasis instead of all-caps, which seems like shouting and violates standard netiquette when some form of markup or font styling is available. All caps also reduces readability when typed (not written). If you don’t know about markdown, there’s a link below the textbox you use when you write a comment that can explain more.

Hope you find this useful!

Anonymous Coward says:

Schremp’s org isn’t making a distinction between cookies used for good or ill purposes, so the story sounds far worse than it should. Curious how any site is supposed to manage the sessions of people that opt-out but still try to use the service, without actually tracking them or placing a cookie.

Continued use of a service, after notification of the cookie requirement via banner or pop-up, is positive consent. The alternative is that every person would have to be alerted and agree to the terms of use every time they load a new page. Cross-platform functionality will also be severely impaired if positive consent can’t be inferred from continued use.

Federico (profile) says:

Re: Purpose of a cookie

Except they do make a distinction. It helps if you actually read what you’re commenting. The complaint states:

Article 82 of the loi Informatique et Libertés provides that the requirement of prior consent does not
apply if access to information stored in the user’s terminal equipment or the registration of information
in the user’s terminal equipment (1) has the exclusive purpose of allowing or facilitating
communication by electronic means; or (2) is strictly necessary for the provision of an online
communication service at the user’s express request. These exceptions are strictly interpreted by the
French authorities. In a decision of 6 June 2018, the Conseil d’Etat considered that all cookies that are
set for advertising purposes cannot be treated as cookies "strictly necessary for the provision" of an
online communication service, even when such cookies are necessary for the economic viability of a
website (Council of State, 10th – 9th chambers together, 06/06/2018, 412589).

Wyrm (profile) says:

Consent stored before choice
No way to opt out
Pre-selected choices
Non-respect of choice

I’ve seen a ton of sites guilty of point 2. You get a nice banner telling you "we use cookies", and that’s all. Definitely no opt-in, and not even an opt-out.

I don’t necessarily mind point 3 as long as it’s clear: if the law requires an opt-out, you can pre-select consent. You cannot, however, start acting as if the user consents until the selection is submitted. That’s point 1, and it’s making the opt-out basically irrelevant since at least some data has already been collected and communicated by the time the user is done making a choice.

Point 4 is obviously the worst: you have an illusion of privacy that is not actually enforced. That’s not only circumventing consent, which points 1 and 2 are guilty of, but also adding an outright lie on top of it.

bhull242 (profile) says:

Re: Re:

Yeah, 3 is fine in my book. 2 is bad, but as long as it’s made clear, there is still the option to not use that site based on that fact. 1 is even worse, because you’re effectively opting out rather than opting in, even if the option is presented up front. 4 is just horrible, combining 1 and 2 together while also lying about doing either.

ECA (profile) says:

it took them how long to figure this out??

Ok, I can stop laughing..
Its just silly to think anyone would even test this. SAID the site/advert corp/everyone else.

Do you know how much Stuff we have vacuumed says the corps??
(even tho we asked and didnt pay attention when everyone said NO, because we Knew they would say No, and we didnt like that we couldnt do it, If they said we did it anyway)

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...