Cookies – the good, the bad and the mouldy…

We are now several years into the changes in law which became known as the cookie law. Since then, the EU has enacted the GDPR which has added some urgency to ensuring that websites are compliant in the area of cookies and other stored information such as pixel trackers. The GDPR confirmed the consent requirements and national data protection organisations are taking an increasing interest in this area.

The basic requirements are that websites gain informed consent before storing cookies unless those cookies are what is termed ‘strictly necessary’. These strictly necessary cookies include those set in order to provide a service that the user specifically requested, for example to log into a website or carry out functions associated with shopping carts. It clearly does not include analytics cookies or the plethora of advertising and marketing cookies. Website designers may argue that their website will not function without cookies and where that functionality is a shopping cart I would agree. However, if the functionality in question is so the website can remember my shoe size this is not strictly necessary and I would expect to have to give my informed consent before such a cookie is stored.

Informed consent is key. It means that the user must be informed of why a cookie is being set and must then consent to it being set. And there’s the thing – I can permit the website to set cookies and consent to those cookies being set by advertisers such that they are also accessible to other websites, but I should not be forced to do so, I should understand what it means, and it should not be automatic. One may argue here that five pages of legalese indicating why a cookie is set is not a particularly valid way to inform the user.

There is also the issue of pre-checked options although this is lessened if there is a ‘reject all’ button as some websites have. Websites should not use pre-checked consent boxes but there is give and take here, in particular where the user can actively refuse cookies. However, to take the letter of the law the practice is not legal and you must not use pre-checked boxes in this way.

Cookies in the real world?

If I look at a product in a shop and an assistant comes to me and tells me there is an alternative, or better product then that presents me with no issue. However, if I then go to a different shop I do not expect someone to then show me products like the ones I just viewed in the first shop unless I specifically ask. And there is the difference, I can chose to ask or not. So why are tracking cookies any different?

And I certainly do not expect to go into a newsagents and pick up a paper only to have 33 sticky notes stuck on me from 33 other papers, each saying I do not want them to send me anything. Mind you, I don’t buy newspapers…

You must comply

This brings us to the question of cookie walls. Here, a website forces you to agree to their cookie policy before you can even see the website. In my opinion any such website should simply be ignored. Why, for example should I need to consent to it storing cookies just so I can see their email address or other contact details?

And I do object when I find a website that offers me a choice of some 400 advertising partners and lets me deselect each one, one by one. It’s far easier to just visit some other website. And let’s not get into discussion over the numerous websites which have a privacy and cookie notice hosted on some other website at a completely different URL which also sets its own cookies! One particularly famous website gave me a large privacy notice that I could not get past without either accepting or drilling down through layers of options. It was somewhat amusing to count over 400 partner sites that may get my data, and also drilling down further I got to a different, presumably parent website at a completely different URL. Needless to say this was an example of a US website.

Obfuscated messages

It is not always obvious how one even deselects cookies when consenting. The use of graphical sliders to allow or refuse cookies may be obvious when it is visually clear that green is go and red is not. So why do some websites chose shades of grey, and others just have a black slider with no indication of which way is off? This is not rocket science. Some websites use a simple tick box – surely that is sufficient? Can you imagine the problems in a fast food outlet where you end up with a spicy burger and a sugar laden drink because the options for ‘not spicy’ and ‘diet free’ were just black balls on a grey background?

Fighting back

So, to recap, cookies which are strictly necessary can be set by a website without consent when you visit it but these are a tightly defined subset of cookies which are actually necessary for a website to do what you want, not what it wants. Any other cookie must only be set once the user has given their informed consent. Cookies which store one’s choice here can be accepted as strictly necessary. Thus, a website storing a cookie to save your cookie choices for that website is ok as it is associated with you actually requesting something.

However, some websites, particularly media types take this to mean it is ok for each and every one of their partner sites to also set a cookie to save your choice. To me this is its bad programming – why are you causing my browser to visit each of your partner websites in order for each one to then store a cookie saying I do not want you to send me cookies from them? One newspaper website I visited and immediately selected ‘reject all’ on its cookie notice caused 33 individual cookies to be set.

It is sometimes amusing watching websites fail miserably when cookies are disabled in the browser. Some throw you off and demand you allow cookies, some struggle, some have no issues at all. I found one that displays nothing and constantly reloads itself trying to set a cookie. I suspect someone got their cookie sensing code a bit wrong there.

It is less amusing to struggle through a website’s cookie notice and deselect everything only then to be told I can get no further because I use an ad blocker. But wait, if the ad blocker checker is cookie based and I deselected cookies how come it even works?

Remember that tracking cookies are no use if they are not available when you visit other websites. So, for example you visit website A and you have no cookies set at all. Website A sets a tracking cookie served by website C. You then visit website B and it can read the tracking cookie set by website A and thus data about you can be transferred. But if you delete the cookie before you visit website B then that website cannot know. This is oversimplified but essentially is how you end up stalked by adverts.

Personally, I address this in a specific way. Cookies are always turned off on my phone. Yes, it means there are some things I cannot do because they require me to log in, but if I absolutely have to use the phone for those then I can quickly turn cookies back on, do the work, then delete the cookies. On the laptop I now use an app which allows me to chose what cookies I want to keep from each website I use. So, for example I can allow any login function cookies for the various web-based forums I visit. The app is set to delete any unwanted cookies after a minute or there is a button to delete immediately. Using this, I can visit a website and delete all its cookies right away. Of course, this is personal preference and suits me because I have always been security conscious. And other browsers have other mechanisms. I do recommend that you investigate something which suits you. I would also recommend that you take a look at what cookies your browser has stored, you’ll probably be amazed!

It’s not all bad news. There are some really well thought out websites out there. An example is where a website has a very simple line at the bottom, with cooke options not pre-checked and a button to accept or otherwise. Many, many websites run by organisations with insane amounts of money (and therefore buying power when it comes to website design) could learn from this.

Chocolate chip anyone?

Cookie madness continues…

These guys are having a laugh, but not as much as similar others. This is from a newspaper website after I clicked Reject All on their cookie acceptance form…

The Yes/No column indicates if a cookie is secure. But that’s not the issue I have here, the issue is it still set 20 cookies, including Google and other trackers even though I used the reject option. And note the rather adventurous deletion date of the second cookie, the year 3019.

Their reason for so many is that they claim the following uses of cookies are ‘necessary’: ‘Information storage and access’, ‘Personalisation’, ‘Ad selection, delivery, reporting’, ‘Content selection, delivery, reporting’, and ‘Measurement’. I beg to differ! Oh, and on Google, that is specifically deselected when one presses Reject All and yet their cookies are still being set. Hmmm.

Even more cookie madness

Yup, cookies again. I have started to experiment with an App on the MacBook called Cookie. It seems to be the only one of its kind right now and has a two week free trial period. After fiddling with settings it really seems useful as one can flag those cookies you want to keep and then have it delete cookies on a timer basis as well as other deletion options. All of mine are ticked so it deletes on browser closure, on waking from sleep and others, and I wound the deletion timer back to one minute. So cookies generally clear before I leave the cookie laden website I wanted to view.

It’s cookie screen makes a very useful check. I just visited a newspaper’s website and got the usual cookie popup with no way past until I either accepted or went into the options. I did the latter and clicked ‘reject all’ and save. And the website still set 32 (!) cookies, 7 of which were flagged as trackers. Not only that, but when I closed the site it had managed to set a further two cookies and one of those was a tracker.

Crazy.

Cookie madness

I’m sure we are all aware of cookies these days given we have cookie notices plaster at us on nearly every website, some of which let you get no further until you review all the options, and some which, illegally I mad add refuse to let you past unless you simply accept their cookies.

However, today I came across one that takes this a leap in completely the wrong direction. I browse with cookies turned off on the phone and happened to want to check out a particular railway website. It presents as the usual site, clearly mobile friendly with a menu icon top left. But where’s the cookie warning? it gives me a yellow box along the bottom with an ‘x’ top right to clear it and absolutely no text within that box. You guessed it, the cookie notice itself does not work with cookies turned off! Neither does the menu icon. And that takes the biscuit – see what I did there?

Airline fined over website cookie consent

Pinsent Masons carried a story recently regarding an airline being fined for a poor cookie consent mechanism on their website (1). Although the fine is relatively small it hopefully highlights the fact that authorities are taking note of complaints against websites.

For some years now it has been necessary to declare cookies and have a mechanism to gain consent, but many websites are sadly lacking, some really badly. I’ve ranted about this in the past and when I was still working I always tried to ensure our websites were compliant.

The case in hand (2) is one where the website in question told users how to block cookies but had no consent mechanism. It was pointed out that there needs to be a mechanism whereby cookies can be rejected, as well as options to enable all cookies or to enable just specific ones.

From my own checks on websites some are really good, some so-so, and some down right awful. Among the best I’ve seen are ones that have a very simple consent mechanism at the bottom of the page with checkboxes for each type of cookie, as well as a ‘reject all’ button. Among the worst are those that throw up a large popup which gives little choice other than to accept their cookies with no way into the site without so doing. Some, typically media websites seem to burden the user with vast lists of partners with a ‘yes / no’ button against each. I have to say that when I find these latter types I take a screenshot for reference, and then wave goodbye. I also regularly clear my cookie cache so I don’t get stalked by adverts.

(1) https://www.pinsentmasons.com/out-law/news/airline-fined-over-cookie-consent-mechanism

(2) https://www.aepd.es/resoluciones/PS-00300-2019_ORI.pdf

Cookie consent

Seriously, when are website designers going to realise that setting lots of cookies and then asking for consent is the wrong way round? I mean, surely the concept is clear. Unless the cookie is strictly necessary, for example to carry out the function requested by the user, don’t set the darn thing until consent is gained. To me this is like someone plastering advertising stickers all over your car and then finding you and asking if it’s ok, versus someone asking ‘hey can I put these advertising stickers on your car?’

As I’ve said before, there are some truly excellent cookie consent mechanisms out there now, and some truly awful ones, and every mix in between. I’ve seen one recently that sets out your options at the bottom of the page rather than send you off to another page, and they were all pre-unchecked. And another, a cookie wall this time (to be banned soon!) where you either accept or go off to a completely different website run by an advertising agency, only to be told you then need to tell your browser to reject cookies. One had a list of about 400 partner sites and you had to deselect each, one very similar had the same but you could deselect them all in one go. But in each case they were selected by default and consent is gained basically by user frustration – click Yes just to get somewhere, anywhere.

Of course, you can always empty your browser’s cookie cache regularly as I do. But then you run the risk of Google asking you to go through their consent stuff for the umpteenth time because you deleted the cookie they set that remembers your answers. That’s understandable, but still frustrating. Browsers could use a mechanism by where you clear out everything except a few you chose specifically to persist, and have a button on the menu bar to clear them too so you do not need to go diving into the menus.

Those pesky cookie consent notices…

Those that know me probably know I do go off on one when it comes to annoying uses of cookies. Well, I came across two allegedly GDPR-compliant consent pages today, each of which amazed me but for diametrically opposing reasons.

The first of the two threw up a box obscuring most of the website telling me it uses cookies, that I can find out why in the privacy notice, and then saying “You are hereby requested to accept the use of these cookies”. No other options.

Ok. First off, the privacy notice had just about zero information about what cookies it set and what these were used for. Fail. Next, there is no way to consent or refuse. Fail. The only way to remove the annoying box is to accept. Fail. Oh, and by the way it had already set the cookies anyway regardless of if I accepted or not. Major fail!

The second example I came across was so different. Here, and in just three sentences at the bottom of the screen, it told me what it used, why it used them, and below this were a series of 4 tick boxes for Necessary, Preference, Statistics, and Marketing, all ticked except Marketing. I didn’t even need to read the linked privacy notice nor anything else to know that the options it was offering were the ones I would have chosen anyway. This is by far the best implementation of a cookie consent popup I have ever seen! YMMV.

The cookie crumbled…

There are still lots of websites that are now wholly noncompliant its regard to cookies and cookie notices. I came across one today which has the usual 5th of a screen banner popup pleading with me to accept cookies:

“Please accept cookies so we can deliver you the best experience”

Well, I might if it told me even remotely why. Click on the ‘read more’ and it tells me what a cookie is and lists a series of links to browser information pages, each taking you off to the browser suppliers own website. It does not give any option to select what type of cookie I will allow, nor does it say why it sets them, which ones it sets or what it, or others will do with them. And of course it has already set them!

There are some really good (IMO) sites now which tell you they are setting cookies and let you chose which types, the better ones having the advertising type cookies deselected by default so if you just click through the screens you actually get the best option, privacy wise. Then there are media driven sites – those hanging off newspapers and such – which give you a list of 400+ websites, each of which you need to deselect or even visit in turn to stop that particular cookie. Seriously, those need shredding. I just click away when faced with them, and these days I regularly clear out all cookies anyway. The only ones of any interest to me personally are those that hold on to the fact that you are already logged into a forum, for example, and almost all the forums I use now have an option to automatically log me in using the password stored in the browser, so it matters not that I clear these out.

A kitchen full of unwanted cookies…

I was notified by email today of a document shared on Yahoo! that I needed to read. So… off to Yahoo! and I am presented with a screen about privacy. I can get no further before I either blindly accept all their cookies and those of their partners or I can manage what is set. Ok, let’s manage it then – off to the Privacy Centre (hmmm… UK spelling).

What I am looking for is a button where I can reject cookies. Ok… so in paragraph 2 of 12 or so, I lost count, I find the link to the Privacy Dashboard. Off we go then, I bet the ‘reject’ button is there, oh no wait I get a screen full of brand icons I can click to see how each partner will use my personal data. Hmmm. No reject button then…

I clicked the first one and I’m whizzed off, electronically to the vendors site where I need to log in and prove I am not a robot. Try another. Same thing, and indeed the same login function hosted by AOL. And, you guessed it, it’s setting cookies before I have even had the chance to say yes or no.

And I’ve yet to get anywhere near the document I want to see…

I’m not going any further but seriously, if I actually wanted to find out how my personal data will be used by this website, the company behind it, the company behind them, and each of their partners and the companies behind those, it would take me an hour or more, and I’d be rewarded with a whole kitchen full of cookies.

So, the document remains unread… shame really. And now I need to get rid of the cookies that have been set before I even had the chance to say ‘no’.

Awful cookie consent pages…

There’s an interesting mixture of cookie consent pages and functions these days, ranging from one nice site I saw that had defaulted to ‘none’, to those that seem to want you to opt out individually to over 400 advertising cookies, with quite a few of those requiring you to go and find the advertiser in question to opt out. I just saw one which has the usual half-page banner that only gives an option to accept all cookies, but hidden (in plain sight) is a link that takes you to a consent page. This page does nothing that wanting you to consent to all cookies but, if you try hard enough it tells you how you can opt out – by visiting some advertising agency cookie control site. Er, no, that’s not how it should be done.

I wonder if anyone (other than me) actually bothers to complain to whatever agency is even listening about these stupid practices!