Anyone who has used the internet since May 2018 must have encountered a growing number of cookie consent notices whenever they browse a website. But are these notices telling us as individuals everything that’s happening with our data? And what should organisations do to make their actions more transparent?

The answer to the first question, unfortunately, does not make for positive reading. A major study of cookie consent mechanisms by academics at Ruhr-University Bochum and the University of Michigan found that 86 per cent of notices offer no options other than a confirmation button that does nothing.

Cookies and consent

Cookie notices have proliferated since the General Data Protection Regulation came into force last year. By some estimates, more than 60 per cent of popular websites in Europe display cookie consent notices to visitors. Since then, the ePrivacy Regulation (ePR) has taken its lead from GDPR’s tougher stance on consent. They have taken it as a legal basis for collecting and processing personal information.

There are three main types of cookie notices. The first, gives the website visitor a simple yes or no choice. This is to whether they agree to cookies on their laptop or mobile device. This doesn’t penalise the visitor who clicks ‘no’. They freely choose to give their consent or not and are free to browse that website regardless of their choice.

The second type of cookie partially penalises the user, in that some website functionality won’t work if they choose ‘no’. However, a properly worded cookie notice should make clear to them exactly what functionality won’t work. Here again, the individual can make an informed choice to proceed or not.

Wall of denial

In the third case, a ‘cookie wall’ is established, denying the user access unless they consent to all cookies and trackers that are present on that website. A cookie wall is a website’s self-made border that restricts access to those who do not consent to all of its cookies and/or tracking technology. The controller is essentially forcing the data subject to provide access to their personal information.

However, a cookie wall is an ambivalent construct, with some data protection authorities in the EU already deeming them unlawful. The Dutch regulator’s website highlights that cookie walls are not permitted, because with a cookie wall the controller cannot get valid permission from visitors/users for placing tracking cookies.

In essence, cookies cannot truly use ‘consent’ as their legal basis for processing, as they penalise the user who says no, by preventing the user from accessing the website. The GDPR defines valid consent as being freely given and warns that consent will be invalid if it is conditioned upon the exchange of a service to which the data processing is not necessary.

The practice of cookie walls, along with the general confusion among consumers, hasn’t escaped the notice of supervisory authorities. Both the Irish DPC and UK ICO recently issued guidance on correct use of cookies.  Johnny Ryan from the privacy browser Brave issued a formal complaint to the Irish DPA in April 2019 against Interactive Advertising Bureau (IAB) Europe’s website cookie wall – which forced visitors to accept tracking cookies.

Where exemptions apply

Not all cookies require consent: the ePrivacy Regulation allows for exemptions where cookies are used only for carrying out the transmission of a communication or where they are strictly necessary to provide a service. The recent guidance from the Data Protection Commission makes this point clear. It says “For the setting use of cookies and other similar technologies, the data controller normally needs your consent (as required by Regulation 5(3) of the ePrivacy Regulation) to use these types of technologies. However, they don’t need consent where the cookie or other technology is necessary tao provide you with the service you’re seeking [my emphasis] – for example , cookies which may be needed to provide you with a functioning website which you want to access.” (The European Commission page on cookies also has more information about this.)

Best practice cookie notices

What should organisations do to ensure they are complying with both the letter and the spirit of the laws regulating the use of cookies? The first step is to determine if the principles of GDPR and ePrivacy Regulation are applicable, by assessing if your website cookies 1) collect or process personal data from individuals resident in the EU or 2) collect or process data on servers located within the EU? If so, it is worth asking these questions:

• Are you being transparent with the data subjects?
• Are data subjects fully informed about the collection and processing of their data and the possible sharing of their data with third parties and for what purposes the sharing will take place?
• Would data subjects be ‘surprised’ by any activity your cookies undertake? If so, you should revisit the privacy notices and ensure increased transparency.
• What legal basis are you using to collect and process this data? Are you using consent as the legal basis? If so, does the data subject have a choice? Does the data subject feel coerced in any way? Does the data subject provide a positive affirmative opt-in?
• Is the ‘informed’ piece being delivered in a ‘terms and conditions’ link, a ‘privacy policy’ link– or really clearly on a privacy notice appearing on-screen beside the cookie consent request?
• Is the information you intend to gather proportionate and necessary for the visit the data subject is making to your website?
• Do you need this information for your website to function properly?
• Is this the right time during the transaction/visit to collect or process the information? Do you need to wait until a contract (implicit, social or otherwise) is engaged in by the data subject?
• Are you collecting/processing data subject’s information to leverage it for future use?
• Are your retention schedules clearly outlined and are you deleting information in line with them?
• Do the privacy notices make it easy for the data subject to get more information/communicate with your privacy department if they wish to ask for more information?

Lack of transparency = lack of confidence

Many of the privacy notices that I have encountered appear boilerplate and lack transparency. This has instilled in me a lack of confidence that data controllers are complying with my ‘no’ response to cookies. I often wonder is the yes/no option a mere ‘window dressing’ while its cookies-as-normal under the bonnet of the website?

A notable trend in this area is the ‘Consent-or-Pay-Wall’. Pay models are an alternative to the ad-funded/information collection model. They allow a non-consent (contractual agreement) based alternative if the consumer pays. See below for an example of a ‘Consent-or-Pay Wall’:

Whatever way you choose to design your cookies, an organisation’s website acts as a lens into the data protection practices of a company. Companies should consider their privacy notices and the level of consumer loyalty and engagement that these notices engender. This is because studies have found correlations between well-constructed privacy notices and increased consumer trust.

I believe data protection – done right – gives organisations a unique opportunity to engage with consumers. It demonstrate a company’s socially responsible data strategies. Why not provide clearly worded notices that state in simple language what is happening to a visitor’s data? Why not use cookie consent as a method to enter into an implicit social contract that engenders trust? For example, “in return for giving us your information, you will get a better experience on this website. We promise to only use that information during the time you’re using it, and we will delete it afterwards. We will never share information from your visit to our website with third parties”.

By ensuring that our data strategies, including those relating to cookies, are benevolent towards the data subject, organisations have a valuable opportunity to do privacy right, and enhance the trust-relationship with consumers.

Valerie Lyons is chief operations officer with BH Consulting