Consensual Cookies: When No Really Means Yes.

One of the most visible manifestations of the EU General Data Protection Regulations (GDPR) is the cookie banner that pops up when you visit many sites for the first time. These are designed to give visitors the opportunity to decide whether they want to be tracked, and if so by whom.

Any business operating Internet sites in the EU should theoretically use them or something similar, or risk a GDPR fine of up to 4% of global turnover. Cookie banners may be tiresome, but at least they give users some measure of control over how much they are tracked online. But do they?

Few of us have the skills or the time to check that our wishes are obeyed by every site. Fortunately, three researchers in France – Celestin Matte, Nataliia Bielova, Cristiana Santos – possess both, and have conducted the first rigorous study of this area. They have written a good summary of their full academic paper.

An initial scan of 22,949 Web sites from the EU domains, as well as .org and .com, showed 1,426 that had cookie banners based on the Interactive Advertising Bureau Europe Transparency and Consent Framework, the main industry standard for this area.

Of those, the team of researchers took a close look at 560 Web sites from .uk, .fr, .it, .be, .ie and .com domains to detect possible GDPR violations. Shockingly, they found four types of violations in cookie banners, across 305 Web sites – 54% of the sample:

1. Consent stored before choice: The cookie banner stores a positive consent before the user has made their choice in the banner. Therefore, when advertisers request for consent, the cookie banner responds with the positive consent even though the user has not clicked on a banner and has not made their choice yet.

2. No way to opt out: The banner does not offer a way to refuse consent. The most common case is a banner simply informing the users about the sites use of cookies

3. Pre-selected choices: The banner gives user a choice between one or more purposes or vendors, but some of the purposes or advertisers are pre-selected: pre-ticked boxes or sliders set to accept.

4. Non-respect of choice: The cookie banner stores a positive consent in the browser even though the user has explicitly refused consent.

That is a pretty dismal state of affairs. The GDPR is designed to give control to those visiting Web sites in the EU, and yet over half of the latter studied in detail fail to respect users choices. One person who has shown himself unwilling to accept the GDPR being flouted in this way is the privacy campaigner Max Schrems. Over the years, he has launched – and won – multiple legal challenges involving privacy and the GDPR.

Now his privacy organization noyb.eu is turning its attention to disrespectful cookie banners:
noyb.eu identified countless violations of European and French cookie privacy laws as CDiscount, Allocine and Vanity Fair all turn a rejection of cookies by users into a fake consent. The privacy enforcement non-profit noyb.eu filed three formal [GDPR] complaints with the French Data Protection Authority (CNIL) today.

Up to 565 fake consents per user. Despite users going through the trouble of rejecting countless cookies on the French eCommerce page CDiscount, the movie guide Allocine.fr and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent fake consent signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows now show.

Schrems points out that one company taking advantage of fake consent is Facebook, which is happy to place cookies after people have clearly objected to all tracking. That means the scale of the potential GDPR breach is considerable. It will be some time before CNIL hands down its decision, but based both on Schrems track record and on the facts of the case, it seems probable that he will prevail once more.

Although the initial ruling will only apply to France, it is likely to be followed by data protection authorities in other EU countries. If any of the Web sites mentioned above challenge a result that goes against them, there may be a referral to the top court in the EU whose decision will be definitive and apply across the whole region. That, in its turn, is likely to influence online privacy laws around the world, as the GDPR is already doing.

Full academic paper here: https://arxiv.org/abs/1911.09964