How often do you just click “Accept all cookies” when visiting a website? It always seems easier to click that one, prominent button than fight your way through several screens and clicks to reject cookies or to only accept the bare minimum.
This difficulty is a coordinated attempt by websites to make it harder to stop them from tracking you digitally.
Who are the worst offenders? Would you believe it’s Google and Facebook – which the French privacy watchdog last year fined €150 million and €60 million, respectively. They have three months, from January this year, to rectify the settings.
The Commission Nationale de l’Informatique et des Liberté (CNIL) found “facebook.com, google.fr and youtube.com do not make refusing cookies as easy as to accept them.”
These three sites “offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them.”
Quite correctly, the CNIL concludes that “this process affects the freedom of consent: since, on the Internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favour of consent.”
Hand in the cookie jar
This is the latest round of legal action for Big Tech, where European privacy regulators are showing they have had enough of the surveillance capitalism that has made the web a free-for-all of personal data being used, abused, and traded.
Cookies are the tools used by surveillance capitalism, but there is a concerted effort to banish them. Google has announced it will stop so-called third-party cookies in its Chrome browser. These third-party cookies are from other digital advertising networks, which seem like a move in favour of consumers, but it doesn’t mean Google will stop tracking users itself.
When a researcher investigated 50 randomly chosen well-known websites, only 15 (30%) appear to comply with the EU/UK data privacy laws. As many as 32 (64%) of the sites did not appear to comply with EU and UK cookies laws. Including Google, Facebook, and Twitter says Asress Adimi Gikay, a lecturer in AI, disruptive innovation, and law at Brunel University in London.
The trick used by websites is a simple and frustrating one. Clicking “accept all” is quick and immediately obvious, but rejecting to specifying which cookies to accept is not, Gikay found.
“Twitter, for example, merely notifies the user of consent in a banner that states: ‘By using Twitter’s services, you agree to our cookies use’. Other companies, including Google and Facebook, hide the refuse/decline button in a second window. Still others, such as Ryanair, create a cookies wall where visitors may use the site only if they choose ‘Yes, I agree’ or go to the ‘view cookies setting’ to select their preferences,” Gikay wrote in The Conversation.
Spotify, like the BBC, has a typical cookies banner but lets users browse without accepting the cookies – but the cookies banner covers half of the device screen. “This reduces the quality of the user’s browsing experience and could potentially be regarded as a coercive practice.”
But, as Gikay argues, the “fact that big tech companies are not complying with cookies laws suggests that millions of citizens are likely having their personal data gathered unlawfully. It is hard not to wonder if some companies are knowingly breaching the rules because they generate so much revenue from their cookies that it’s worth risking a sanction for a privacy breach.”
Big Tech is playing as close to the line as possible, as it tries to hold on to its means of surveillance while trying not to get sued.
Gikay suggests they “may also bet that the relevant authorities are too underfunded or understaffed to enforce the rules. For example, a recent report by the Dutch ombudsman highlighted that the relevant authority in that country had 9,800 unresolved privacy complaints at the end of 2020. And according to the Irish Council for Civil Liberties, ‘almost all (98%) major GDPR cases referred to Ireland remain unresolved’ – in part due to lack of budget and sufficient specialist staff.”
He adds: “The situation is unlikely to be radically different in other EU countries.”
It’s no different in South Africa, where new privacy laws – the Protection of Personal Information Act (Popia) – have been enacted, but websites are still cavalier about privacy. A random check of some SA websites revealed the same issues privacy watchdogs are reporting globally. Many don’t even offer an alternative other than “accept cookies”. Arguably the biggest problem is that SA consumers are unaware of their rights being trammelled and they simply take the path of least resistance and click accept. Businesses that do this should be prosecuted in terms of the POPI Act, but don’t hold your breath. The instigators of the July 2021 “failed insurrection” will be in court before any data-hoarding businesses.
