I examined 50 popular websites’ data collection habits — and the results aren’t good
Many big companies gather our data illegally
Cookie laws and workarounds
Cookies are small text files stored by websites on our internet browsers, which allow the website to gather information about us. Some cookiesare necessaryfor us to be able to browse the site in question – for example, to add items to a shopping cart.
Morecontentious cookiestrack a user’sbrowsing behavior. There are first-person cookies, where the site in question tracks users’ behavior to offer them relevant products; and third-party cookies, where this is done by another company to allow others to advertise to the user instead – the classic example is Google Ads.
Cookies gather so much information that it is usually more than enough to identify the person behind the device. Besides visits to particular web pages, theycan also recorda person’s search queries, goods or services purchased, IP address, and exact location.
From this, it is possible to infer a person’s name, nationality, language, religion, sexual orientation, and other intimate details – most of which arespecial categoriesof personal data that cannot be processed without the explicit consent of the individual under EUePrivacy Directiveand the EU and UK’s General Data Protection Regulation (GDPR).
The GDPR requiressuch consentto be specific, informed, unambiguous, andgiven freely– requiring affirmative action by the user. Unfortunately, this is not giving us a great deal of protection.
Websites have used various methods to get around the requirements. Most cookie consent requests used to be presented with pre-selected tick boxes that, by default, made individuals accept cookies on their devices. In 2019 theCourt of Justice of the European Union (CJEU)decided websites could no longer do this, since it avoided the GDPR’s affirmative action requirement. But such is the value of the data that can be gathered using cookies that websites merely switched to different workarounds instead.
The popular option is the one that saw Facebook and Google sanctioned by the CNIL in France. The CNIL essentially said that when it comes to refusing cookie consent, two clicks are too many: it meant that people are being pressured into consenting, and was therefore contrary to the GDPR’s free consent requirement. This presumably explains why, from a2020 experimental studyof users who had lived in the EU, 93% accepted cookies regardless of having a second window option for managing them.
The wider issue
The French interpretation of the GDPR is not binding on the British courts, the CJEU or other regulators in Europe. So, once the CNIL’s three-month deadline runs out, websites with similar imbalanced cookie consent in other GDPR countries might claim there is an ambiguity in the law around what counts as consent. But really the law is quite clear and the French interpretation should be a strong signal that otherprivacyauthorities will reach a similar conclusion.
And yet, when I looked at 50 randomly chosen well-known websites, only 15 (30%) appear to comply with the EU/UK data privacy laws. Some of those sites which are compliant, such asebay.co.uk, provide “Accept” and “Decline” buttons in the same banner. Others such asbbc.co.ukmake it more difficult to reject cookies but allow users to browse without consenting to them.
As many as 32 (64%) of the sites did not appear to comply with EU and UK cookies laws. These include Google, Facebook, and Twitter, as well as other major businesses such asRyanairand the website ofthe Daily Mirror.
Twitter, for example, merely notifies the user of consent in a banner that states: “By using Twitter’s services, you agree to our cookies use”. Other companies, including Google and Facebook, hide the refuse/decline button in a second window. Still others, such as Ryanair, create a cookies wall where visitors may use the site only if they choose “Yes, I agree” or go to the “View cookies setting” to select their preferences.
There were a further three websites where it was either unclear or borderline as to whether they were within the rules.Spotify, like the BBC, has a typical cookies banner but lets users browse without accepting the cookies. But its cookies banner covers half of the device screen. This reduces the quality of the user’s browsing experience and could potentially be regarded as a coercive practice.
The fact that big tech companies are not complying with cookies laws suggests that millions of citizens are likely having their personal data gathered unlawfully. It is hard not to wonder if some companies are knowingly breaching the rules because they generate so much revenue from their cookies that it’s worth risking a sanction for a privacy breach.
They may also be betting that the relevant authorities are too underfunded or understaffed to enforce the rules. For example, arecent reportby the Dutch ombudsman highlighted that the relevant authority in that country had 9,800 unresolved privacy complaints at the end of 2020. Andaccording tothe Irish Council for Civil Liberties, “almost all (98%) major GDPR cases referred to Ireland remain unresolved” – in part due to lack of budget and sufficient specialist staff. The situation is unlikely to be radically different in other EU countries.
If the UK and EU are serious about protecting citizens’ privacy, they need to amend the rules to be more specific about what a consent window should look like, and run information campaigns to make it clear to citizens that withholding consent cannot in any way limit their browsing experience. They should also allocate the required resources to enforce the rules. Only then will the laws around these little-understood tools for harvesting our data be fit for purpose.
We asked Meta, Alphabet, Ryanair, Twitter, and Daily Mirror publisher Reach if they would like to comment. Reach declined and Alphabet, Twitter, and Ryanair did not respond. Meta said:
This article byAsress Adimi Gikay, Lecturer in AI, Disruptive Innovation and Law,Brunel University London,is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
