Most Cookies Banners Don't Do What You Think

Most websites in Europe offer you the choice to accept or refuse cookies used to track and surveil visitors, but what if it's all just compliance theater?

Most Cookies Banners Don't Do What You Think

This topic was originally covered in Episode 7 of the Royal Palace Podcast.

For European internet users, the cookie banner has become an annoying fact of everyday life. In the best of times, we are asked a simple yes-or-no question: may we collect an enormous amount of your personal data? But in many cases, we are presented with a frustrating myriad of so-called dark patterns designed to discourage users from withholding their consent.

A lot has already been said by others on the topic of dark patterns, much of which can be found in marketing copy disguised as blog posts and "helpful guides" by companies offering so-called "GDPR-compliant" cookie banners as a service.

Yet, no one seems to be talking about the biggest dark pattern on the internet today: the cookie banner itself.

This is because, contrary to popular belief, there is no explicit obligation under GDPR to display a cookie banner whatsoever. In fact, the word "cookie" appears only once in the entire text of the 88-page EU Regulation.

The legal basis for cookie banners can be traced back to what is commonly referred to as the ePrivacy Directive, which holds that cookies must only be used for legitimate purposes and that users should have the option to refuse them in as "user-friendly" a manner as possible. The Directive also allows for cookies to be forced on users to facilitate access to "specific website content," presumably content only accessible to authenticated users—since cookies are the main way a website can recognize a signed-in user.

EU Directives, as opposed to EU Regulations, do not have direct effect; instead, they serve as frameworks for national legislatures to implement their own laws in the image of EU policy. As a result, obtaining the explicit consent required by the ePrivacy Directive might have been interpreted differently across Member States—and indeed, many websites seemed only to make gestures towards compliance.

Everything changed with the introduction of GDPR. As an EU Regulation, it would have direct effect across all Member States, regardless of national legislation, and introduced eye-watering fines for violators. In outlining general principles for protecting personal data, GDPR—in theory, at least—leaves no part of the internet untouched, including the use of cookies.

Under GDPR, personal data may only be collected and processed after meeting the following three conditions:

  1. Data is collected and processed in pursuit of an explicit legitimate interest.
  2. Data processing must be limited to what is strictly necessary to accomplish the stated legitimate interest.
  3. The processing of data in pursuit of a stated interest must not be outweighed by the interests or freedoms of individuals (right of access, rectification, restriction, data portability, and objection).

Even if these conditions are met, data must still only be processed in a way that respects the principles of data minimization, storage limitation, integrity, confidentiality, and explicit and informed consent.

Why do most websites use cookies?

Cookies are essentially pieces of information that websites leave behind on your web browser to remember something about you. On one hand, this could be the fact that you have properly authenticated into online banking and are therefore authorized to view the corresponding balance. But very often, cookies are used to remember that you are John Doe from New York City with a gambling addiction—a fact that may be used to "improve your experience" by enticing you to try out a new sports betting app!

The practice of exploiting cookies for tracking purposes may have originated in the advertising industry, but the nature of the data they collect can be used by nearly anyone for an unimaginable number of malicious purposes—including skirting the protections of the 4th Amendment (see: The Government Really Is Spying On You — And It’s Legal | Politico).

However, if cookies are the main way of following users around, they are not the only method. As browsers have become less tolerant to third-party cookies, advertisers have begun moving towards first-party cookies and fingerprinting as a means of tracking users around the internet—both of which are much harder for regulators and consumers to detect.

At first, it feels empowering to be offered the choice between allowing sleazy advertisers into your browser's cookie jar, but have you ever actually verified they respected your choice?

A technical point: we said that cookies remember something about you—so how do you suppose many websites implement your refusal to accept cookies? That's right, with a cookie! So in that sense, no, they don't work.

Many websites implement cookies in various ways—through analytics platforms, advertising, or at the content delivery level. And since building the infrastructure to ensure cookies are not used without explicit user consent is not a compelling business proposition for many, the indicator of success is often whether or not a banner appears for users. This situation lends itself to misconfigurations going unnoticed, or some websites knowingly implementing purely "cosmetic" cookie banners.

In a recent paper titled Automated Large-Scale Analysis of Cookie Notice Compliance, researchers Ahmed Bouhoula, Karel Kubicek, Amit Zac, Carlos Cotrini, and David Basin at ETH Zurich show that the vast majority of websites simply ignore when users explicitly refuse cookies and often load cookies before a user has time to interact with the cookie banner!

Is there anything users can do about it?

Unfortunately, resolving the problem of ubiquitous internet surveillance by companies and governments cannot be solved by purely technical means—despite what some libertarian cyberpunks would have you believe. What is needed is zealous enforcement of GDPR and stronger legislation to protect user privacy.

Nevertheless, users can use uBlock Origin (which, thanks to Google, no longer works on Chrome) to not only block ads but also cookie banners! We are Royal Palace Media, wouldn't think to browse without it!