Anyone who has used the internet since May 2018 must have encountered a growing number of cookie consent notices whenever they browse a website. But are these notices telling us as individuals everything that’s happening with our data? And what should organisations do to make their actions more transparent?
The answer to the first question, unfortunately, does not make for positive reading. A major study of cookie consent mechanisms by academics at Ruhr-University Bochum and the University of Michigan found that 86 per cent of notices offer no options other than a confirmation button that does nothing.
Cookies and consent
Cookie notices have proliferated since the General Data Protection Regulation came into force last year. By some estimates, more than 60 per cent of popular websites in Europe display cookie consent notices to visitors. Since then, the ePrivacy Regulation (ePR) has taken its lead from GDPR’s tougher stance on consent. They have taken it as a legal basis for collecting and processing personal information.
There are three main types of cookie notices. The first, gives the website visitor a simple yes or no choice. This is to whether they agree to cookies on their laptop or mobile device. This doesn’t penalise the visitor who clicks ‘no’. They freely choose to give their consent or not and are free to browse that website regardless of their choice.
The second type of cookie partially penalises the user, in that some website functionality won’t work if they choose ‘no’. However, a properly worded cookie notice should make clear to them exactly what functionality won’t work. Here again, the individual can make an informed choice to proceed or not.
Wall of denial
In the third case, a ‘cookie wall’ is established, denying the user access unless they consent to all cookies and trackers that are present on that website. A cookie wall is a website’s self-made border that restricts access to those who do not consent to all of its cookies and/or tracking technology. The controller is essentially forcing the data subject to provide access to their personal information.
However, a cookie wall is an ambivalent construct, with some data protection authorities in the EU already deeming them unlawful. The Dutch regulator’s website highlights that cookie walls are not permitted, because with a cookie wall the controller cannot get valid permission from visitors/users for placing tracking cookies.
In essence, cookies cannot truly use ‘consent’ as their legal basis for processing, as they penalise the user who says no, by preventing the user from accessing the website. The GDPR defines valid consent as being freely given and warns that consent will be invalid if it is conditioned upon the exchange of a service to which the data processing is not necessary.
Where exemptions apply
Best practice cookie notices
- Are you being transparent with the data subjects?
- Are data subjects fully informed about the collection and processing of their data and the possible sharing of their data with third parties and for what purposes the sharing will take place?
- Would data subjects be ‘surprised’ by any activity your cookies undertake? If so, you should revisit the privacy notices and ensure increased transparency.
- What legal basis are you using to collect and process this data? Are you using consent as the legal basis? If so, does the data subject have a choice? Does the data subject feel coerced in any way? Does the data subject provide a positive affirmative opt-in?
- Is the information you intend to gather proportionate and necessary for the visit the data subject is making to your website?
- Do you need this information for your website to function properly?
- Is this the right time during the transaction/visit to collect or process the information? Do you need to wait until a contract (implicit, social or otherwise) is engaged in by the data subject?
- Are you collecting/processing data subject’s information to leverage it for future use?
- Are your retention schedules clearly outlined and are you deleting information in line with them?
- Do the privacy notices make it easy for the data subject to get more information/communicate with your privacy department if they wish to ask for more information?
Lack of transparency = lack of confidence
Many of the privacy notices that I have encountered appear boilerplate and lack transparency. This has instilled in me a lack of confidence that data controllers are complying with my ‘no’ response to cookies. I often wonder is the yes/no option a mere ‘window dressing’ while its cookies-as-normal under the bonnet of the website?
A notable trend in this area is the ‘Consent-or-Pay-Wall’. Pay models are an alternative to the ad-funded/information collection model. They allow a non-consent (contractual agreement) based alternative if the consumer pays. See below for an example of a ‘Consent-or-Pay Wall’:
Whatever way you choose to design your cookies, an organisation’s website acts as a lens into the data protection practices of a company. Companies should consider their privacy notices and the level of consumer loyalty and engagement that these notices engender. This is because studies have found correlations between well-constructed privacy notices and increased consumer trust.
I believe data protection – done right – gives organisations a unique opportunity to engage with consumers. It demonstrate a company’s socially responsible data strategies. Why not provide clearly worded notices that state in simple language what is happening to a visitor’s data? Why not use cookie consent as a method to enter into an implicit social contract that engenders trust? For example, “in return for giving us your information, you will get a better experience on this website. We promise to only use that information during the time you’re using it, and we will delete it afterwards. We will never share information from your visit to our website with third parties”.
By ensuring that our data strategies, including those relating to cookies, are benevolent towards the data subject, organisations have a valuable opportunity to do privacy right, and enhance the trust-relationship with consumers.