Amsterdam Law School
21 March 2024
Just a quick reminder: What are digital cookies again? ‘They’re small files installed on your computer to gather information’, says Zac. ‘Your location, IP address, previously visited pages, and email address are examples of information that cookies track and collect.’ Websites are legally obliged to get permission to gather personal data – hence the annoying pop-ups. ‘The regulation aimed to protect the privacy of EU citizens online’, Zac explains.
What is the level of compliance when it comes to the requirements of consent? That’s the question Zac asked in the research he conducted along with Ahmed Bouhoula, Karel Kubicek, Carlos Cotrini, and David Basin from the computer science department at ETH Zurich. They created an automated process using machine learning methods, which allowed them to analyze 100 thousand websites in Europe. The results were stunning: around 90 percent of websites seem to fail at least one requirement. ‘That’s an incredibly high percentage. If this percentage of people did not follow traffic laws, people would not leave their homes. The online world seems to be different from the offline world, and I wanted to know why,’ he says.
Some websites operate under the impression that they won’t get caught
The research differentiates between 2 types of violations. ‘Naive violations’, as Zac calls them, and back-end intentional violations. ‘An example of a naive violation is to not ask for consent to collect cookies at all.’ The research showed that 32 percent of websites visited by European users, lacked a question for consent altogether. ‘These violations are visible and easy to detect. So visible that the France Data Protection Agency (CNIL) has already fined Google, and others, for not including a reject button next to the accept button for cookies. We found that 56% of our studied sample is still missing a reject button’.
A back-end violation is sneakier and happens behind the veil of compliance, which makes it much harder to notice. ‘It means a website does whatever it wants on the back-end, regardless of your answer. When you reject all cookies, it still uses tracking cookies, even though you have explicitly opted out. Our study shows that 65% of the websites we were able to test, ignore user rejection choices. Websites also often collect information before you answer the consent pop-up, or register closing the pop-up screen as giving consent. The law does not allow that in most cases. Explicit consent is needed for gathering your data.’
In addition, companies use so-called ‘dark patterns’ to nudge for more consent. ‘The classic example is the use of colors. The accept button is made more attractive by the use of bright colors and the reject button is made less visible and colorful. Another example is hiding the reject option by using smaller letters, making it harder to notice. The research showed that on many websites the “accept” and “reject” buttons for cookies look very different, which might indicate user manipulation.’
It’s a facade of compliance
The machine learning method the researchers created allowed them to differentiate between violations made by popular websites and smaller websites. ‘We found that the popular websites score low when it comes to the easily detectable violations, such as not having a consent banner. However, these websites score relatively high on the back-end intentional violations. Popular websites are a bit sneakier about violating your rights. They give you the feeling you’re protected by asking for consent. But in reality, it’s worse because they ignore your choices. It’s a facade of compliance.’
Is it then still worth the effort to refuse cookies? ‘I still take cookies seriously. I always say no and minimize my exposure to random click traps online. You can install an extension on your browser that blocks attempts to collect your data, regardless of your cookie answer, or use a VPN. Although I think most users don't bother, maybe because of the illusion that makes them believe they are protected under the system.’
‘At this point, cookie consent notices are broken,’ states Zac. So how do we fix this gap between the law and reality? ‘Some small companies lack the technical and legal knowledge to comply with regulations. We want to help small and medium-sized players to become compliant by offering them useful technology. Policymakers should also help the naive players because not all companies are intentionally violating the law.’
Unfortunately, other companies are. For them, a different approach is needed. ‘Some websites operate under the impression that they won’t get caught. This is where the internet becomes the Wild West. Data protection agencies can't keep up with the technology and the diffusion of dark patterns. We need new technologies to address this on a much bigger scale. That's the next step. I want to approach the right people in the Netherlands and say to them: “We have the methods here to boost compliance with the law.”’