Guess What? Many Cookie Banners Ignore Your Wishes, So Max Schrems Goes On The GDPR Attack Again
from the lack-of-respect dept
One of the most visible manifestations of the EU's General Data Protection Regulation (GDPR) is the "cookie banner" that pops up when you visit many sites for the first time. These are designed to give visitors the opportunity to decide whether they want to be tracked, and if so by whom. Any business operating Internet sites in the EU should theoretically use them or something similar, or risk a GDPR fine of up to 4% of global turnover. Cookie banners may be tiresome, but at least they give users some measure of control over how much they are tracked online. But do they? Few of us have the skills or the time to check that our wishes are obeyed by every site. Fortunately, three researchers in France -- Célestin Matte, Nataliia Bielova, Cristiana Santos -- possess both, and have conducted the first rigorous study of this area. They've written a good summary of their full academic paper.
An initial scan of 22,949 Web sites from the EU domains, as well as .org and .com, showed 1,426 that had cookie banners based on the Interactive Advertising Bureau Europe Transparency and Consent Framework, the main industry standard for this area. Of those, the team of researchers took a close look at 560 Web sites from .uk, .fr, .it, .be, .ie and .com domains to detect possible GDPR violations. Shockingly, they found four types of violations in cookie banners, across 305 Web sites -- 54% of the sample:
Consent stored before choice
The cookie banner stores a positive consent before the user has made their choice in the banner. Therefore, when advertisers request for consent, the cookie banner responds with the positive consent even though the user has not clicked on a banner and has not made their choice yet.
No way to opt out
The banner does not offer a way to refuse consent. The most common case is a banner simply informing the users about the site's use of cookies
Pre-selected choices
The banner gives user a choice between one or more purposes or vendors, but some of the purposes or advertisers are pre-selected: pre-ticked boxes or sliders set to "accept".
Non-respect of choice
The cookie banner stores a positive consent in the browser even though the user has explicitly refused consent.
That's a pretty dismal state of affairs. The GDPR is designed to give control to those visiting Web sites in the EU, and yet over half of the latter studied in detail fail to respect users' choices. One person who has shown himself unwilling to accept the GDPR being flouted in this way is the privacy campaigner Max Schrems. Over the years, he has launched -- and won -- multiple legal challenges involving privacy and the GDPR. Now his privacy organization noyb.eu is turning its attention to disrespectful cookie banners:
noyb.eu identified countless violations of European and French cookie privacy laws as CDiscount, Allociné and Vanity Fair all turn a rejection of cookies by users into a "fake consent". The privacy enforcement non-profit noyb.eu filed three formal [GDPR] complaints with the French Data Protection Authority (CNIL) today.
Up to 565 "fake consents" per user. Despite users going through the trouble of "rejecting" countless cookies on the French eCommerce page CDiscount, the movie guide Allocine.fr and the fashion magazine Vanity Fair, these webpages have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent "fake consent" signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows now show.
Schrems points out that one company taking advantage of "fake consent" is Facebook, which is happy to place cookies after people have clearly objected to all tracking. That means the scale of the potential GDPR breach is considerable. It will be some time before CNIL hands down its decision, but based both on Schrems' track record and on the facts of the case, it seems probable that he will prevail once more. Although the initial ruling will only apply to France, it is likely to be followed by data protection authorities in other EU countries. If any of the Web sites mentioned above challenge a result that goes against them, there may be a referral to the EU's top court, whose decision will be definitive and apply across the whole region. That, in its turn, is likely to influence online privacy laws around the world, as the GDPR is already doing.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cookie banners, cookies, eu, gdpr, max schrems, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
The whole and original problem with computers comes down to the simple fact YOU DO NOT OWN the operating system on your computer, YOU RENT IT, thus YOU HAVE NO RIGHTS.
You thus have no right to determine what appears or what does not appear on your computer; the right to determine that is held by the owner of the operating system.
Until the operating system rental issue is resolved in favor of the owner of the physical hardware the hardware owner has NO LEGAL RIGHT to deny all sorts of trash from appearing on their computer.
That means that hardware owner can not go to court, sue the spammers, and receive a judgement in their favor and if the hardware owner does not like this then the hardware owner can write their own operating system which will be owned by the hardware owner.
If you do not like the above situation then you need to discuss this with the various courts and legislative bodies that have authority to correct the legal issues.
[ link to this | view in chronology ]
Re:
Rubbish.
Even renters have rights. The problem is trash landlords.
And anyway, I can choose not to use an OS provided by such landlords.
[ link to this | view in chronology ]
Re: Re:
advertisers and the scum they hire are the shits in this world. they should be abolished.
[ link to this | view in chronology ]
Re: Re: Re:
If there were no advertising on TV, streaming or the web you would find a great many channels, sites and services shutting down for lack of revenue. Many of those that remain would become subscription services with no access at all unless you pay them directly. "Free" games would largely become a thing of the past as you would now have to pay up-front for all games or expect all games to have in-game sales. Is that the world you would like to live in?
Or maybe, just maybe, you could find ways to avoid having to see ads such as subscribing to services that offer an ad-free tier, only buy video-on-demand and games that are non-free, and otherwise always pay your own way.
Yeah, ads suck, but they're saving you a lot of money in exchange for a bit of time and patience and they enable a whole lot of options to be available that otherwise could not.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The real problem is not adverts, but rather that marketing people believe that they ave the right to collect as much information as possible about people so as to target adds. Laws to limit the collection of data by companies to that needed for sales completion and delivery of actual services, (note adverts are excluded from services), would do a lot to eliminate cooking and tracking on the web.
[ link to this | view in chronology ]
Re:
This isn't about the operating system on the local computer. It's about websites tracking people to spam them with intrusive advertising. I could board up Windows and find some 31337 h3X0r d00Dz who managed to hack into Linux headquarters to steal the source code for their enterprise O/S, but the issue would remain the same.
[ link to this | view in chronology ]
Re: Re:
hack into Linux headquarters to steal the source code for their enterprise O/S
what is this i don't even... it's not even wrong. (Despite the point of the post being correct.)
But here, i hacked into the very heart of Linux headquarters. This is the secret link. https://www.kernel.org/ Or, you know, you can compile an entire distro from source or roll your own. Hell, you can even go with something other than a gnu/linux. There are some enterprise distros, but they aren't going to be a significant difference (if any) from non-enterprise, for a single user desktop.
[ link to this | view in chronology ]
Re:
ok boomer
[ link to this | view in chronology ]
Re:
Or use one of the several popular operating systems, or hundreds of more obscure ones, that people have already created and posted online for people to use (with rights!). But what's that got to do with cookies?
[ link to this | view in chronology ]
Re:
Amazing, you wrote a bunch of nonsense but failed to communicate anything other than you don't know much about laws or technology.
[ link to this | view in chronology ]
Re:
I have the right to smash the computer into a zillion pieces.
[ link to this | view in chronology ]
Re: Re:
That's a ridiculous direction to head when the problem is not the hardware. Maybe you should seek counseling.
[ link to this | view in chronology ]
Re: Re: Re:
Yeah, whatever happened to destroying just the monitor when you have an issue with something running on a computer (or need to stop it from destroying something or all the things).
[ link to this | view in chronology ]
Re: Re:
Yes you do, but you don't have the Right To Repair it.
[ link to this | view in chronology ]
Re:
You're wrong on so many points.
You're welcome to try again once you've informed yourself on the subject.
[ link to this | view in chronology ]
Re:
Build your own OS then.
[ link to this | view in chronology ]
IANAL
I wonder if the CFAA could come into play here. If companies are knowingly deceiving people about the access they are getting to our computers...
[ link to this | view in chronology ]
Re: IANAL
Using the cfaa in this manner is very optimistic. Don't you know that law is only meant for hackers, crackers, and individuals the government doesn't like? Major campaign donors and businesses have nothing to worry about.
/s
[ link to this | view in chronology ]
Re: IANAL
The CFAA does not apply in the EU where the GDPR, the topic of discussion in this article, is enforced. Squirrel moment?
[ link to this | view in chronology ]
Re: Re: IANAL
The topic, based on the title, is cookie banners, and Sites that use cookie banners also have been using them here in the US in an abundance of caution. But it is unlikely they are better with US user's consent. Therefore, while the article mainly discusses the implications of the research in regards to the GDPR, discussions about the applicability of the CFAA to the findings of the research is pertinent to the discussion of cookie banners ignoring user input.
To answer the question, I do not think that ignoring user prefrences from the cookie banner will lead to hacking under the CFAA. The cookie might be seen as fitting under 'exceeding access' claims, but showing sufficent damage to waarant a criminal complaint would be difficult. (remember, the CFAA does not have a private right of action, its a criminal statute.)
[ link to this | view in chronology ]
Re: Re: Re: IANAL
No, but ignoring site operators' preferences sure seems to court violations.
[ link to this | view in chronology ]
Re: Re: Re: Re: IANAL
A site operator can inflate damages in ways a user can not. A site operator can contribute to political campaigns of a State AG. I specifically highlighted that the barrier was the threshold to get investigators looking at criminal action. A site operator of the sites seen abusing the CFAA is a powerful entity which can make things happen in ways a private individual could not.
[ link to this | view in chronology ]
So the banner popup is basically drunk at a bar.
[ link to this | view in chronology ]
Another thing is some sites use the popups to deliberately harass users who have cookies disabled on their browser, by popping one up every time you click a link.
[ link to this | view in chronology ]
Re:
I'm pretty sure they're not deliberately harassing you in this manner. More likely the developers never thought to consider browsers with cookies disabled. Their code runs when a cookie is not set and sets a cookie; they've assumed the cookie will always be successfully set, which would prevent the code from running again. They probably only ever tested it in a few browsers with standard configurations, none of which included a browser that prevented cookies from being set.
One solution is to install an extension that lets you hide elements. You can write a CSS rule for that site to not display the popup. "Stylus" is one such extension.
[ link to this | view in chronology ]
Good luck enforcing any of that against website owners and companies that have no presence in the EU. At best, they'll ignore it, at worse they'll simply geoblock all EU access.
[ link to this | view in chronology ]
Re:
Most are EU sites. And FB is not just going to up and pull out of Euro, lol.
[ link to this | view in chronology ]
It's not only that.
Try to opt out from cookies from Verizon, assuming they are being veracious with their opt-out screen(s).
They open up to a screen with about a dozen different services they provide. For every single service, you have about 6 screens of options to trigger, then let your options be "processed" by some sort of cookie alliance. The "processing" of the opt-outs is only every partially successful and takes about 2 minutes per screen. It does not process if you remove focus from the respective tab/window, so you cannot do stuff in parallel.
Which means that opting out from cookies for various user-tracking purposes from Verizon is a process that, if done correctly and diligently, takes over an hour. And you don't really know whether this will change anything: a lot of the steps report only partial success and recommend trying again.
The total number of people on Earth who went through all of that successfully is probably a one-digit number, probably even if you express it in binary.
Everybody else is assumed to consent to tracking in various forms.
[ link to this | view in chronology ]
Cookies aren't just for tracking
Cookies are used to store information, typically your session ID, so that you remain logged into a website. If you disallow cookies you can't use the service as it needs to send your session cookie with each request you make to the server to identify you. If the cookie is missing it doesn't know who you are and asks you to log in so it can store a cookie identifying you.
Sites that don't require a login but still want to store cookies? Yeah, those are for tracking.
[ link to this | view in chronology ]
Re: Cookies aren't just for tracking
They can also store zero-login preferences.
[ link to this | view in chronology ]
it may be a pretty dismal state of affairs, as the article states but no one gives a fuck anymore about how the people are affected! if it is/was a company affected, there would be all hell let loose and the perpetrators would be shut down, scooped up and locked up for life! if anyone has the audacity to take 1p away from the coffers of any company or person, those responsible deserve to be flogged to death or never see the light of day again. if, however, a company does anything that is detrimental to a single ordinary person or the whole Planet, no one lifts a finger because those responsible go straight to the corrupt politicians and security service heads, throw them 'some bones' and just carry on down the same road! corruption in almost all countries is rife, especially in governments worldwide. the desire to stop people from having any rights at all is of paramount importance to politicians, security services heads, courts, the rich, the famous and the elite, as well as all their associated friends. that is why there is this storm of new laws that are so similar everywhere, that are/have been brought in that take our rights away, with no consideration or consultation because the best thing that has ever been invented on this Planet to date, The Internet, gave us the availability of information and the ability to access, read and pass on that information that allows us to know exactly what those mentioned above have been, are and are going to be up to that make them continue to be exceedingly rich and, most importantly, IN TOTAL CONTROL of us, while we are losing everything that we fought for, earned and should still be entitled to! and most of what we have had taken from us has been done in USA courts and then other countries have been threatened to do the same! what an asshole world is being produced where the few are so scared of losing control and riches that they are stopping it by taking everything from us! and we keep voting the same fuckers in who are doing it! talk about stupid!!
[ link to this | view in chronology ]
Re:
Except... the People is exactly what the relevant law is about, even if the EU and its members kind of fucked up parts of it. Which is why Max Schrems wins privacy cases invoking such laws.
I get the idea, but when you argue a point (or rant or pontificate or whatever this is) and do it poorly, you loose points for your position.
[ link to this | view in chronology ]
Re:
"no one gives a fuck anymore"
as if they ever did
[ link to this | view in chronology ]
Re:
Despite the fact that I consider myself to be a bit of a grammar Nazi, I don’t like to correct grammar, spelling, and syntax on internet fora too often. However, this mess is really hard to read.
First of all, the inconsistent capitalization is really annoying. Capitalize the first letter of the first word of sentences and quoted sentences, the first letter of most words in proper nouns (names of people, specific businesses, organizations, brand names, laws, regulations, parks, specific buildings, cities, counties, districts, states, provinces, countries, multinational groups, wars, important battles, continents, planets, stars, moons, or galaxies; titles of books, movies, periodicals, most websites, games, or software; months; days of the week; and a few others) and most or every letter of an initialism (such as U.S.A., NASA, or DMCA). For the most part, don’t capitalize anything else, like “planet” or “the internet”. Capitalizing in these places and only these places makes it easier to distinguish the beginnings and ends of sentences and find unique identifiers, greatly improving readability.
Second, when typing something as long as this, you should probably try to break it down into multiple paragraphs with a blank line or other spacing between them. Otherwise it just looks like a huge wall of text that’s hard to read.
There’re also some punctuation and other grammar errors, but just fixing those two problems would make it a lot easier to read. I’d also suggest using markdown for emphasis instead of all-caps, which seems like shouting and violates standard netiquette when some form of markup or font styling is available. All caps also reduces readability when typed (not written). If you don’t know about markdown, there’s a link below the textbox you use when you write a comment that can explain more.
Hope you find this useful!
[ link to this | view in chronology ]
Schremp's org isn't making a distinction between cookies used for good or ill purposes, so the story sounds far worse than it should. Curious how any site is supposed to manage the sessions of people that opt-out but still try to use the service, without actually tracking them or placing a cookie.
Continued use of a service, after notification of the cookie requirement via banner or pop-up, is positive consent. The alternative is that every person would have to be alerted and agree to the terms of use every time they load a new page. Cross-platform functionality will also be severely impaired if positive consent can't be inferred from continued use.
[ link to this | view in chronology ]
Re: Purpose of a cookie
Except they do make a distinction. It helps if you actually read what you're commenting. The complaint states:
Article 82 of the loi Informatique et Libertés provides that the requirement of prior consent does not
apply if access to information stored in the user's terminal equipment or the registration of information
in the user's terminal equipment (1) has the exclusive purpose of allowing or facilitating
communication by electronic means; or (2) is strictly necessary for the provision of an online
communication service at the user's express request. These exceptions are strictly interpreted by the
French authorities. In a decision of 6 June 2018, the Conseil d’Etat considered that all cookies that are
set for advertising purposes cannot be treated as cookies "strictly necessary for the provision" of an
online communication service, even when such cookies are necessary for the economic viability of a
website (Council of State, 10th - 9th chambers together, 06/06/2018, 412589).
[ link to this | view in chronology ]
I've seen a ton of sites guilty of point 2. You get a nice banner telling you "we use cookies", and that's all. Definitely no opt-in, and not even an opt-out.
I don't necessarily mind point 3 as long as it's clear: if the law requires an opt-out, you can pre-select consent. You cannot, however, start acting as if the user consents until the selection is submitted. That's point 1, and it's making the opt-out basically irrelevant since at least some data has already been collected and communicated by the time the user is done making a choice.
Point 4 is obviously the worst: you have an illusion of privacy that is not actually enforced. That's not only circumventing consent, which points 1 and 2 are guilty of, but also adding an outright lie on top of it.
[ link to this | view in chronology ]
Re:
Yeah, 3 is fine in my book. 2 is bad, but as long as it’s made clear, there is still the option to not use that site based on that fact. 1 is even worse, because you’re effectively opting out rather than opting in, even if the option is presented up front. 4 is just horrible, combining 1 and 2 together while also lying about doing either.
[ link to this | view in chronology ]
Re:
You do have an opt-out ... opt out of using the site. (that's their logic anyway).
[ link to this | view in chronology ]
Re: Re:
The other way to opt out is via the browser settings. Most sites are okay with that; some will break completely. You should definitely set browsers to block as many third-party cookies as possible.
[ link to this | view in chronology ]
31337 h3X0r d00Dz are running mates in 2020, expected to win easily with 900 million electronic votes.
[ link to this | view in chronology ]
it took them how long to figure this out??
Ok, I can stop laughing..
Its just silly to think anyone would even test this. SAID the site/advert corp/everyone else.
Do you know how much Stuff we have vacuumed says the corps??
(even tho we asked and didnt pay attention when everyone said NO, because we Knew they would say No, and we didnt like that we couldnt do it, If they said No..so we did it anyway)
[ link to this | view in chronology ]
Iv asked..
A few persons, that know what to do..
And to take the info they are looking for, and Change it on my computer.. I think we should be able to send a packet... They when they open it for the data,it does something bad..
WHY not protect ourselves from these ignoramus..
[ link to this | view in chronology ]