Status of Cookie Consent in the Age of Privacy
The New Trend
By now you have seen them. They are everywhere. Cookie consent notices have sprung up like flowers on a fine Spring morning and cannot be avoided when surfing the Internet.
You might think that these are related to the new European Data Privacy Laws or GDPR (General Data Protection Regulation) that became effective last year. You might also think that, although they might be highly annoying, they provide you with a higher sense of control over your interaction with any given site.
Unfortunately, you would only be partially right on both accounts. But, let us come back to this in a bit.
What is Cookie ?
First let us go back for a second and look at what a cookie is.
A cookie is nothing more than a very small text file. When you visit a website, the server that hosts that site asks your browser to place this file on your computer, typically somewhere within your browser cache files. Once it’s on your computer, the cookie acts a lot like a membership card you might have for your local gym. With each visit, your browser flashes this card back to that site. The cookie lets the site know who you are and any other relevant information necessary for personalizing your user experience.
The exact information stored on the cookie will vary from site to site, depending on what information is necessary for that particular system. In most cases, it will identify you as repeat visitor in some way. For example, if the site requires a login, the cookie may allow you to remain logged in, or if you had a favorite site-theme, it may remember to use it to display site formatting in that way. Another example would be if you place and order and use a physical store as your pickup store for your order, the site may display the inventory available there first.
This membership-card-like behavior makes cookies ideal for tracking especially when using them across many sites and when these sites start talking to each other via syndication and AI. This means cookies can be used to track your online behavior in high detail. Sites like Google, Facebook, Amazon, and Double-click have built extensive profiles on internet visitors. With sufficient interactions, an online persona can be built with whom experiments can be conducted to find the best way to influence the real you.
You could easily dismiss this as a strange and improbable future tale if it were not for detailed evidence of its use today. For example Cambridge Analytica‘s whole premise was to find out the best way to manipulate users by using behavioral modeling. And if you thought it was strange that Facebook ads appeared for items you searched on Amazon, you should take notice of secret data sharing agreements between the two companies.
Fortunately, when you live in Europe the laws are spelled out more clearly.
The EU Cookie Law
NATURAL PERSONS MAY BE ASSOCIATED WITH ONLINE IDENTIFIERS…SUCH AS INTERNET PROTOCOL ADDRESSES, COOKIE IDENTIFIERS OR OTHER IDENTIFIERS…. THIS MAY LEAVE TRACES WHICH, IN PARTICULAR WHEN COMBINED WITH UNIQUE IDENTIFIERS AND OTHER INFORMATION RECEIVED BY THE SERVERS, MAY BE USED TO CREATE PROFILES OF THE NATURAL PERSONS AND IDENTIFY THEM.Excerpt Recital 30 of EU GDPR
The idea is relatively simple: cookies that can be used to uniquely identify a person should be treated as personal data. The law affects identifiers used for analytics, advertising, but also those used for functional services like surveys and chats.
- You need to provide detailed information regarding how that cookie data will be utilized.
- If they refuse, you need to ensure that cookies will not be place on their machine.
To be clear, implied consent such as “By using this site…” is no longer sufficient. You have to implement a solid consent-management framework to add and/or remove cookies from users’ machines.
This must be easy to use. In other words, consent must be as easy to give as to withdraw, and sites should provide an opt-out option.
A Veener of Compliance
On the surface, this seems pretty straight forward and all websites seem to have implemented this; after all, you get inundated with all these cookie consent notification messages we spoke of at the beginning of this article.
Unfortunately, we at XcooBee find ample evidence that this is as far as most sites are willing to go. They pop up cookie notifications and cookie opt-in messages, but when we opt-out and we check underneath to see whether cookies are actually removed, we see a horrid lack of compliance.
We are not professing this to be a scientific study, but from our countless checks we found this to be the more common pattern. You can verify this yourself next time. For example, when using the Google Chrome browser, press the F12 key and then the
Application tab to see the cookies placed on your machine for that site.
Here is an example where we declined all cookies on this popular blog website below. Nonetheless, when reviewing cookies, we see 49+ cookies with many from third party advertisers still present.
We find that many times websites will set cookies before actually asking for consent and do not have an opt-out at all. To comply with the legal requirements, all cookies must be deemed necessary by them. This seems excessive and technically inelegant to us. In the example below, we did not click on
Accept Cookies button yet, but as you can see below, cookies have already been saved on our computer.
Why is this happening ?
For example, a website will connect to Google Analytics to analyze site traffic, and to social media providers to allow more convenient login, etc. This is standard and expected functionality of websites. However, many 3rd party providers such as Google or Facebook also bring their own set of cookies that cannot be controlled by the website owners.
Unfortunately, 3rd party providers do not think of cookie life-cycle management as an important part of their products at this time. For example, it is exceedingly easy to plug-in Google Analytics services to your website. Many examples exists to show website owners how to accomplish this. Google, of course, will set cookies to provide its service. On the other hand, there are zero examples that we could find that show a website owner how to remove cookies set by Google should a user withdraw consent.
Missing programming and implementation frameworks are another quandary. Website owners and programmers do not have a good pattern to follow. Most programming examples focus on displaying the cookie notice itself and with the assumption that the website designer can figure out a good pattern for managing the remainder. This is, of course, a flawed assumption.
Missing enforcement is another angle that contributes to the current status quo. In simple terms, if no-one is getting called out and held accountable there is no incentive for improvement. Agencies in charge have their hands full getting a handle on the changes of the mainstream GDPR. How are they going to evaluate this a myriad web-sites and their different ways of implementing cookie-consent.
There are no standards on how websites communicate their cookie-status and checking websites and seeing how they have implemented cookie-consent will relies on user reporting. As you can see, some technical skill is needed to validate this. We at XcooBee believe there should be an electronic standard that helps regulators and visitors alike.
XcooBee Cookie Kit
In general, if you have sufficient resources this can be fixed easily. There are of course, consulting services and high-end enterprise solutions that are available to solve this and other GDPR problems. These are, however, out of reach for many small and medium size businesses.
We at XcooBee focus on building tools to make the complex realm of privacy and privacy compliance easier to use. To that end we have released a number of website and programming tools under our XcooBee Cookie Kit projects.
For WordPress users this is available as a set of Plugins that can be installed with one button click.
Our Cookie Kit takes a wholestic approach and helps website owners manage the cookie-consent life-cycle and address problems outlined in this article.
This goes beyond the mere display of cookie notices. The XcooBee Cookie Kit interacts with users to correctly obtain consent and save and remove cookies when consent is given or withdrawn. Website owners can, of course, control styling and display of visuals, etc.
With subscriptions to the XcooBee network, users can use crowd intelligence and cookie-type preferences while website owners can centrally manage and document consent.
The XcooBee Cookie kit is released under the flexible Apache 2.0 open source license and free to use. For further information please visit our respective sites.
- XcooBee Cookie Consent Plugin for WordPress
- XcooBee Cookie Kit for ReactJS Projects
- XcooBee Cookie Kit for Websites
Implementation and Improvement
In general, we urge all website owners to review their site’s cookie behavior and check that users’ opt-in / opt-out wishes are followed.
Start by checking you own website and see what actually happens when you opt out. Do you remove cookies? Do you set them before obtaining consent?
We are hopeful that despite the bad start into the year, this is an area where 2019 will bring many improvements and we will move from the Veneer only implementations to actual implementation of best practices cookie consent handling.