The owners of Google and Facebook were both heavily fined for using cookies illegally at the tail end of 2021 by the French data protection authority, Commission Nationale de l’Informatique et des Liberté (CNIL). On the French versions of Google, its sister platform YouTube, and Facebook, users were being asked to consent to cookies in such a way that it was much easier for them to accept than reject the request. They could accept cookies with just one click but there was a more laborious process for refusing.

Google owner Alphabet was fined €150 million (£125 million) and Facebook owner Meta €60 million. Alphabet was fined more because its breaches affected more people and it had been in trouble for violations in the past. Both companies were also given three months to change their systems to make it as easy for users to reject cookie requests.

Meta and Alphabet have yet to comply, though they have until April to do so. The law in the UK and the rest of the EU is also the same as in France, so it is going to be interesting to see what they do in these jurisdictions too.

In the meantime, I looked at what many other companies were doing and found that many are still collecting data using cookies in similar ways. So what’s going on?

Cookie laws and workarounds

Cookies are small text files stored by websites on our internet browsers, which allow the website to gather information about us. Some cookies are necessary for us to be able to browse the site in question – for example, to add items to a shopping cart.

More contentious cookies track a user’s browsing behaviour. There are first-person cookies, where the site in question tracks users’ behaviour to offer them relevant products; and third-party cookies, where this is done by another company to allow others to advertise to the user instead – the classic example is Google Ads.

Cookies gather so much information that it is usually more than enough to identify the person behind the device. Besides visits to particular web pages, they can also record a person’s search queries, goods or services purchased, IP address and exact location.

From this, it is possible to infer a person’s name, nationality, language, religion, sexual orientation and other intimate details – most of which are special categories of personal data that cannot be processed without the explicit consent of the individual under EU ePrivacy Directive and the EU and UK’s General Data Protection Regulation (GDPR).

The GDPR requires such consent to be specific, informed, unambiguous and given freely – requiring affirmative action by the user. Unfortunately, this is not giving us a great deal of protection.

Websites have used various methods to get around the requirements. Most cookie consent requests used to be presented with pre-selected tick boxes that, by default, made individuals accept cookies on their devices. In 2019 the Court of Justice of the European Union (CJEU) decided websites could no longer do this, since it avoided the GDPR’s affirmative action requirement. But such is the value of the data that can be gathered using cookies that websites merely switched to different workarounds instead.

The popular option is the one that saw Facebook and Google sanctioned by the CNIL in France. The CNIL essentially said that when it comes to refusing cookie consent, two clicks are too many: it meant that people are being pressured into consenting, and was therefore contrary to the GDPR’s free consent requirement. This presumably explains why, from a 2020 experimental study of users who had lived in the EU, 93% accepted cookies regardless of having a second window option for managing them.

The wider issue

The French interpretation of the GDPR is not binding on the British courts, the CJEU or other regulators in Europe. So, once the CNIL’s three-month deadline runs out, websites with similar imbalanced cookie consent in other GDPR countries might claim there is an ambiguity in the law around what counts as consent. But really the law is quite clear and the French interpretation should be a strong signal that other privacy authorities will reach a similar conclusion.

And yet, when I looked at 50 randomly chosen well-known websites, only 15 (30%) appear to comply with the EU/UK data privacy laws. Some of those sites which are compliant, such as ebay.co.uk, provide “Accept” and “Decline” buttons in the same banner. Others such as bbc.co.uk make it more difficult to reject cookies but allow users to browse without consenting to them.

As many as 32 (64%) of the sites did not appear to comply with EU and UK cookies laws. These include Google, Facebook and Twitter, as well as other major businesses such as Ryanair and the website of the Daily Mirror.

Twitter, for example, merely notifies the user of consent in a banner that states: “By using Twitter’s services, you agree to our cookies use”. Other companies, including Google and Facebook, hide the refuse/decline button in a second window. Still others, such as Ryanair, create a cookies wall where visitors may use the site only if they choose “Yes, I agree” or go to the “View cookies setting” to select their preferences.

There were a further three websites where it was either unclear or borderline as to whether they were within the rules. Spotify, like the BBC, has a typical cookies banner but lets users browse without accepting the cookies. But its cookies banner covers half of the device screen. This reduces the quality of the user’s browsing experience and could potentially be regarded as a coercive practice.

The fact that big tech companies are not complying with cookies laws suggests that millions of citizens are likely having their personal data gathered unlawfully. It is hard not to wonder if some companies are knowingly breaching the rules because they generate so much revenue from their cookies that it’s worth risking a sanction for a privacy breach.

They may also be betting that the relevant authorities are too underfunded or understaffed to enforce the rules. For example, a recent report by the Dutch ombudsman highlighted that the relevant authority in that country had 9,800 unresolved privacy complaints at the end of 2020. And according to the Irish Council for Civil Liberties, “almost all (98%) major GDPR cases referred to Ireland remain unresolved” – in part due to lack of budget and sufficient specialist staff. The situation is unlikely to be radically different in other EU countries.

If the UK and EU are serious about protecting citizens’ privacy, they need to amend the rules to be more specific about what a consent window should look like, and run information campaigns to make it clear to citizens that withholding consent cannot in any way limit their browsing experience. They should also allocate the required resources to enforce the rules. Only then will the laws around these little-understood tools for harvesting our data be fit for purpose.