Browsing through the internet, it’s hard to escape those annoying pop-ups: “Control your cookies! Accept or decline”. You might make the effort to decline cookies. Privacy is key. Good for you. Right?
That’s mostly wishful thinking, according to the research of Amit Zac and his colleagues from the University of Amsterdam and ETH Zurich.
Websites are legally obliged to get permission to gather personal data – hence the annoying pop-ups. “The General Data Protection Regulation aimed to protect the privacy of EU citizens online,” Zac explains.
But what is the level of compliance when it comes to the requirements of consent? That’s the question the Dutch-Swiss research team asked in the study they conducted.
90 Percent Fail
The scientists created an automated process using machine learning methods, which allowed them to analyze about 100,000 websites in Europe. The results were shocking: around 90 percent of websites seem to fail at least one requirement.
“That’s an incredibly high percentage. If this percentage of people did not follow traffic laws, people would not leave their homes. The online world seems to be different from the offline world, and I wanted to know why,” Zac says.
The research differentiates between two types of violations. “Naive violations,” as Zac calls them, and back-end intentional violations. “An example of a naive violation is to not ask for consent to collect cookies at all.”
No Consent Banner
The research showed that 32 percent of websites visited by European users lacked a question for consent altogether. “These violations are visible and easy to detect. So visible that the French Data Protection Agency (CNIL) has already fined Google and others for not including a reject button next to the accept button for cookies. We found that 56 percent of our studied sample is still missing a reject button.”
A back-end violation happens behind the veil of compliance, which makes it much harder to notice. “It means a website does whatever it wants on the back-end, regardless of your answer. When you reject all cookies, it still uses tracking cookies, even though you have explicitly opted out.”
“Our study shows that 65 percent of the websites we were able to test, ignore user rejection choices. Websites also often collect information before you answer the consent pop-up, or register closing the pop-up screen as giving consent. The law does not allow that in most cases. Explicit consent is needed for gathering your data.”
In addition, companies use so-called “dark patterns” to nudge for more consent. “The classic example is the use of colors. The accept button is made more attractive by the use of bright colors and the reject button is made less visible and colorful.”
“Another example is hiding the reject option by using smaller letters, making it harder to notice. The research showed that on many websites the “accept” and “reject” buttons for cookies look very different, which might indicate user manipulation.”
Refusing Cookies
“We found that the popular websites score low when it comes to easily detectable violations, such as not having a consent banner. However, these websites score relatively high on the back-end intentional violations. Popular websites are a bit sneakier about violating your rights. They give you the feeling that you’re protected by asking for consent. But in reality, they ignore your choices. It’s a facade of compliance.”
Is it then still worth the effort to refuse cookies? “I still take cookies seriously. I always say no and minimize my exposure to random click traps online. You can install an extension on your browser that blocks attempts to collect your data, regardless of your cookie answer, or use a VPN.”
New Technologies
Zac: “Some small companies lack the technical and legal knowledge to comply with regulations. We want to help small and medium-sized players become compliant by offering them useful technology. Policymakers should also help the naive players because not all companies are intentionally violating the law.”
Unfortunately, other companies are. “Some websites operate under the impression that they won’t get caught. This is where the internet becomes the Wild West. Data protection agencies can’t keep up with the technology and the diffusion of dark patterns.”
“We need new technologies to address this on a much bigger scale. Then, I want to approach the right people in the Netherlands and say to them: ‘We have the methods here to boost compliance with the law.'”