Pinsent Masons carried a story recently regarding an airline being fined for a poor cookie consent mechanism on their website (1). Although the fine is relatively small it hopefully highlights the fact that authorities are taking note of complaints against websites.
For some years now it has been necessary to declare cookies and have a mechanism to gain consent, but many websites are sadly lacking, some really badly. I’ve ranted about this in the past and when I was still working I always tried to ensure our websites were compliant.
The case in hand (2) is one where the website in question told users how to block cookies but had no consent mechanism. It was pointed out that there needs to be a mechanism whereby cookies can be rejected, as well as options to enable all cookies or to enable just specific ones.
From my own checks on websites some are really good, some so-so, and some down right awful. Among the best I’ve seen are ones that have a very simple consent mechanism at the bottom of the page with checkboxes for each type of cookie, as well as a ‘reject all’ button. Among the worst are those that throw up a large popup which gives little choice other than to accept their cookies with no way into the site without so doing. Some, typically media websites seem to burden the user with vast lists of partners with a ‘yes / no’ button against each. I have to say that when I find these latter types I take a screenshot for reference, and then wave goodbye. I also regularly clear my cookie cache so I don’t get stalked by adverts.
Seriously, when are website designers going to realise that setting lots of cookies and then asking for consent is the wrong way round? I mean, surely the concept is clear. Unless the cookie is strictly necessary, for example to carry out the function requested by the user, don’t set the darn thing until consent is gained. To me this is like someone plastering advertising stickers all over your car and then finding you and asking if it’s ok, versus someone asking ‘hey can I put these advertising stickers on your car?’
As I’ve said before, there are some truly excellent cookie consent mechanisms out there now, and some truly awful ones, and every mix in between. I’ve seen one recently that sets out your options at the bottom of the page rather than send you off to another page, and they were all pre-unchecked. And another, a cookie wall this time (to be banned soon!) where you either accept or go off to a completely different website run by an advertising agency, only to be told you then need to tell your browser to reject cookies. One had a list of about 400 partner sites and you had to deselect each, one very similar had the same but you could deselect them all in one go. But in each case they were selected by default and consent is gained basically by user frustration – click Yes just to get somewhere, anywhere.
Of course, you can always empty your browser’s cookie cache regularly as I do. But then you run the risk of Google asking you to go through their consent stuff for the umpteenth time because you deleted the cookie they set that remembers your answers. That’s understandable, but still frustrating. Browsers could use a mechanism by where you clear out everything except a few you chose specifically to persist, and have a button on the menu bar to clear them too so you do not need to go diving into the menus.
Those that know me probably know I do go off on one when it comes to annoying uses of cookies. Well, I came across two allegedly GDPR-compliant consent pages today, each of which amazed me but for diametrically opposing reasons.
Ok. First off, the privacy notice had just about zero information about what cookies it set and what these were used for. Fail. Next, there is no way to consent or refuse. Fail. The only way to remove the annoying box is to accept. Fail. Oh, and by the way it had already set the cookies anyway regardless of if I accepted or not. Major fail!
The second example I came across was so different. Here, and in just three sentences at the bottom of the screen, it told me what it used, why it used them, and below this were a series of 4 tick boxes for Necessary, Preference, Statistics, and Marketing, all ticked except Marketing. I didn’t even need to read the linked privacy notice nor anything else to know that the options it was offering were the ones I would have chosen anyway. This is by far the best implementation of a cookie consent popup I have ever seen! YMMV.
There are still lots of websites that are now wholly noncompliant its regard to cookies and cookie notices. I came across one today which has the usual 5th of a screen banner popup pleading with me to accept cookies:
“Please accept cookies so we can deliver you the best experience”
Well, I might if it told me even remotely why. Click on the ‘read more’ and it tells me what a cookie is and lists a series of links to browser information pages, each taking you off to the browser suppliers own website. It does not give any option to select what type of cookie I will allow, nor does it say why it sets them, which ones it sets or what it, or others will do with them. And of course it has already set them!
There are some really good (IMO) sites now which tell you they are setting cookies and let you chose which types, the better ones having the advertising type cookies deselected by default so if you just click through the screens you actually get the best option, privacy wise. Then there are media driven sites – those hanging off newspapers and such – which give you a list of 400+ websites, each of which you need to deselect or even visit in turn to stop that particular cookie. Seriously, those need shredding. I just click away when faced with them, and these days I regularly clear out all cookies anyway. The only ones of any interest to me personally are those that hold on to the fact that you are already logged into a forum, for example, and almost all the forums I use now have an option to automatically log me in using the password stored in the browser, so it matters not that I clear these out.
I was notified by email today of a document shared on Yahoo! that I needed to read. So… off to Yahoo! and I am presented with a screen about privacy. I can get no further before I either blindly accept all their cookies and those of their partners or I can manage what is set. Ok, let’s manage it then – off to the Privacy Centre (hmmm… UK spelling).
What I am looking for is a button where I can reject cookies. Ok… so in paragraph 2 of 12 or so, I lost count, I find the link to the Privacy Dashboard. Off we go then, I bet the ‘reject’ button is there, oh no wait I get a screen full of brand icons I can click to see how each partner will use my personal data. Hmmm. No reject button then…
I clicked the first one and I’m whizzed off, electronically to the vendors site where I need to log in and prove I am not a robot. Try another. Same thing, and indeed the same login function hosted by AOL. And, you guessed it, it’s setting cookies before I have even had the chance to say yes or no.
And I’ve yet to get anywhere near the document I want to see…
I’m not going any further but seriously, if I actually wanted to find out how my personal data will be used by this website, the company behind it, the company behind them, and each of their partners and the companies behind those, it would take me an hour or more, and I’d be rewarded with a whole kitchen full of cookies.
So, the document remains unread… shame really. And now I need to get rid of the cookies that have been set before I even had the chance to say ‘no’.
There’s an interesting mixture of cookie consent pages and functions these days, ranging from one nice site I saw that had defaulted to ‘none’, to those that seem to want you to opt out individually to over 400 advertising cookies, with quite a few of those requiring you to go and find the advertiser in question to opt out. I just saw one which has the usual half-page banner that only gives an option to accept all cookies, but hidden (in plain sight) is a link that takes you to a consent page. This page does nothing that wanting you to consent to all cookies but, if you try hard enough it tells you how you can opt out – by visiting some advertising agency cookie control site. Er, no, that’s not how it should be done.
I wonder if anyone (other than me) actually bothers to complain to whatever agency is even listening about these stupid practices!