Guess What? Many Cookie Banners Ignore Your Wishes, So Max Schrems Goes On The GDPR Attack Again
from the lack-of-respect dept
One of the most visible manifestations of the EU’s General Data Protection Regulation (GDPR) is the “cookie banner” that pops up when you visit many sites for the first time. These are designed to give visitors the opportunity to decide whether they want to be tracked, and if so by whom. Any business operating Internet sites in the EU should theoretically use them or something similar, or risk a GDPR fine of up to 4% of global turnover. Cookie banners may be tiresome, but at least they give users some measure of control over how much they are tracked online. But do they? Few of us have the skills or the time to check that our wishes are obeyed by every site. Fortunately, three researchers in France — Célestin Matte, Nataliia Bielova, Cristiana Santos — possess both, and have conducted the first rigorous study of this area. They’ve written a good summary of their full academic paper.
An initial scan of 22,949 Web sites from the EU domains, as well as .org and .com, showed 1,426 that had cookie banners based on the Interactive Advertising Bureau Europe Transparency and Consent Framework, the main industry standard for this area. Of those, the team of researchers took a close look at 560 Web sites from .uk, .fr, .it, .be, .ie and .com domains to detect possible GDPR violations. Shockingly, they found four types of violations in cookie banners, across 305 Web sites — 54% of the sample:
Consent stored before choice
The cookie banner stores a positive consent before the user has made their choice in the banner. Therefore, when advertisers request for consent, the cookie banner responds with the positive consent even though the user has not clicked on a banner and has not made their choice yet.
No way to opt out
The banner gives user a choice between one or more purposes or vendors, but some of the purposes or advertisers are pre-selected: pre-ticked boxes or sliders set to “accept”.
Non-respect of choice
The cookie banner stores a positive consent in the browser even though the user has explicitly refused consent.
That’s a pretty dismal state of affairs. The GDPR is designed to give control to those visiting Web sites in the EU, and yet over half of the latter studied in detail fail to respect users’ choices. One person who has shown himself unwilling to accept the GDPR being flouted in this way is the privacy campaigner Max Schrems. Over the years, he has launched — and won — multiple legal challenges involving privacy and the GDPR. Now his privacy organization noyb.eu is turning its attention to disrespectful cookie banners:
noyb.eu identified countless violations of European and French cookie privacy laws as CDiscount, Allociné and Vanity Fair all turn a rejection of cookies by users into a “fake consent”. The privacy enforcement non-profit noyb.eu filed three formal [GDPR] complaints with the French Data Protection Authority (CNIL) today.
Up to 565 “fake consents” per user. Despite users going through the trouble of “rejecting” countless cookies on the French eCommerce page CDiscount, the movie guide Allocine.fr and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent “fake consent” signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows now show.
Schrems points out that one company taking advantage of “fake consent” is Facebook, which is happy to place cookies after people have clearly objected to all tracking. That means the scale of the potential GDPR breach is considerable. It will be some time before CNIL hands down its decision, but based both on Schrems’ track record and on the facts of the case, it seems probable that he will prevail once more. Although the initial ruling will only apply to France, it is likely to be followed by data protection authorities in other EU countries. If any of the Web sites mentioned above challenge a result that goes against them, there may be a referral to the EU’s top court, whose decision will be definitive and apply across the whole region. That, in its turn, is likely to influence online privacy laws around the world, as the GDPR is already doing.