Cookies and web privacy have been one of the main topics in the public tech consciousness. Governments and tech companies have all been trying to meet an ever-growing demand for digital privacy. While this has been good news for users, the ad industry has been hurting. An end to cookies may mean a loss of billions of dollars in ad revenue and a similar scale of loss in sales that use targeted ads to drive their sales.
According to European law, a website is mandated to provide its users with an “accept” or “reject all” button so that one can choose to either opt-in or out of cookies. Instead, some websites offer tedious “data choice” notifications that end up getting in your way when trying to accomplish something on the web.
Make no mistake, this is all intentional. It is designed to bog you down with a lot of confusing options and force you to consent to cookies.
Now some people have been quick to fault governments and laws such as General Data Protection Regulation (GDPR) for these tricks. The truth however is that these are not to blame. The laws are very clear: Web users should be offered a simple, free choice — to accept or reject.
The problem is that these websites are openly flouting these laws. They are choosing to wear their users down so that they ending up opting for the most ‘convenient’ choice possible. Some are even said to be ‘hiding’ the “reject all” button on the second or the third page while others don’t even have the decency of putting such an option at all.
This blatant breaking of privacy laws is subject to some very heavy fines. A good example is the big fines slapped on Amazon and Google for similar crimes.
However, despite these headline-making fines, European governments have not been particularly keen on enforcing privacy laws. This is why websites have been able to get away with these crimes all this time.
There might be good news on the horizon. There are signs that data protection agencies may take a tougher approach to bring sites to compliance. Some have for instance already published a comprehensive guide on what defines proper cookie compliance. This is so that no one can claim ignorance.
Another, albeit lesser effective method, is offering websites a grace period to adjust their cookie options. We are however already three years into the GDPR reign and there is simply no excuse for not having adapted accordingly to the new laws. It means that they may be stalling for as long as they can.
Noyb, a European privacy group has also been key in the fight for compliance. This week they kickstarted a serious massive campaign targeting non-compliers. They plan to file more than 10,000 complaints against several websites ranging from bigwigs such as Twitter and Google to smaller local pages. The campaign started with 560 complaints filed against websites from 33 countries all over Europe.
In a statement, noyb chair Max Schrems explained their position and rationale’
“A whole industry of consultants and designers develop crazy click labyrinths to ensure imaginary consent rates. Frustrating people into clicking ‘okay’ is a clear violation of the GDPR’s principles. Under the law, companies must facilitate users to express their choice and design systems fairly. Companies openly admit that only 3% of all users actually want to accept cookies, but more than 90% can be nudged into clicking the ‘agree’ button. Instead of giving a simple yes or no option, companies use every trick in the book to manipulate users. We have identified more than 15 common abuses. The most common issue is that there is simply no ‘reject’ button on the initial page.“
He further explained that as an NGO noyb is funded by donations and as such they seek ‘easy settlement options’ for quick resolutions.
Noyb has even introduced various innovations to make their work easier. They developed a tool that automatically parses cookie consent code and then identifies if they had complied with data protection regulations. If found to be ‘guilty’ the tool automatically creates a draft report that is sent to the offender after a review by noyb’s legal team.
Detailing the extent of non-compliance noyb’s spokeswoman said that of their initial list of 3600 websites they had narrowed down to, they determined that 3,300 had violated GDPR laws.
As governments and institutions toughen their stance on non-compliers the hope is that these measures will improve the web for both users and legitimate businesses.