A well known supermarket-attached clothing website has a privacy notice apparently powered by OneTrust. It gives the usual cookie choices where one can deny certain classes of cookie. On the positive side of things the selections are off by default. Good. But that’s where the positive ends…
Certain cookie classes cannot be switched off – they are ‘always active’. These include data which:
- can be used to monitor for and prevent fraudulent activity, and ensure systems and processes work properly and securely.
- Your device can receive and send information that allows you to see and interact with ads and content.
- can be combined with offline data sources in support of one or more purposes
- can be used to distinguish your device from other devices based on information it automatically sends, such as IP address or browser type.
Now ok I’ve lumped them all together as displayed and not all are definitely evil at first glance. But let’s tease the evil out a little…
Monitoring for the prevention of fraud is fine but it is not saying how. Does it mean that my data will be sent somewhere for fraud checks? Now, that may still be acceptable but it really needs to say.
Sending and receiving information for advertising purposes. Ok, this is a big no. They can’t do that with no way to switch it off, no matter how much they want to.
Cookies used for this can never be classed as strictly necessary. Combining my data with offline sources – again, what on earth is their plan here, tell me. The same goes for distinguishing my device from others. Do they even know how most home broadband routers work? Are they going further than just the IP address, which would be common across a household, or are they suggesting browser profiling? If the latter, stop it.
In any event I browse this particular vendor in private mode with my cookie cruncher running so good luck with that!