I looked at 50 well-known websites and most are gathering our data illegally
- Written by Asress Adimi Gikay, Lecturer in AI, Disruptive Innovation and Law, Brunel University London
The owners of Google and Facebook were both heavily fined[1] for using cookies illegally at the tail end of 2021 by the French data protection authority, Commission Nationale de l’Informatique et des Liberté[2] (CNIL). On the French versions of Google, its sister platform YouTube, and Facebook, users were being asked to consent to cookies in such a way that it was much easier for them to accept than reject the request. They could accept cookies with just one click but there was a more laborious process for refusing.
Google owner Alphabet was fined €150 million (£125 million) and Facebook owner Meta €60 million. Alphabet was fined more because its breaches affected more people and it had been in trouble for violations in the past[3]. Both companies were also given three months to change their systems to make it as easy for users to reject cookie requests.
Meta and Alphabet have yet to comply, though they have until April to do so. The law in the UK and the rest of the EU is also the same as in France, so it is going to be interesting to see what they do in these jurisdictions too.
In the meantime, I looked at what many other companies were doing and found that many are still collecting data using cookies in similar ways. So what’s going on?
Cookie laws and workarounds
Cookies are small text files stored by websites on our internet browsers, which allow the website to gather information about us. Some cookies are necessary[4] for us to be able to browse the site in question – for example, to add items to a shopping cart.
More contentious cookies[5] track a user’s browsing behaviour[6]. There are first-person cookies, where the site in question tracks users’ behaviour to offer them relevant products; and third-party cookies, where this is done by another company to allow others to advertise to the user instead – the classic example is Google Ads.
Cookies gather so much information that it is usually more than enough to identify the person behind the device. Besides visits to particular web pages, they can also record[7] a person’s search queries, goods or services purchased, IP address and exact location.
From this, it is possible to infer a person’s name, nationality, language, religion, sexual orientation and other intimate details – most of which are special categories[8] of personal data that cannot be processed without the explicit consent of the individual under EU ePrivacy Directive[9] and the EU and UK’s General Data Protection Regulation (GDPR).
The GDPR requires such consent[10] to be specific, informed, unambiguous and given freely[11] – requiring affirmative action by the user. Unfortunately, this is not giving us a great deal of protection.
Websites have used various methods to get around the requirements. Most cookie consent requests used to be presented with pre-selected tick boxes that, by default, made individuals accept cookies on their devices. In 2019 the Court of Justice of the European Union (CJEU)[13] decided websites could no longer do this, since it avoided the GDPR’s affirmative action requirement. But such is the value of the data that can be gathered using cookies that websites merely switched to different workarounds instead.
The popular option is the one that saw Facebook and Google sanctioned by the CNIL in France. The CNIL essentially said that when it comes to refusing cookie consent, two clicks are too many: it meant that people are being pressured into consenting, and was therefore contrary to the GDPR’s free consent requirement. This presumably explains why, from a 2020 experimental study[14] of users who had lived in the EU, 93% accepted cookies regardless of having a second window option for managing them.
The wider issue
The French interpretation of the GDPR is not binding on the British courts, the CJEU or other regulators in Europe. So, once the CNIL’s three-month deadline runs out, websites with similar imbalanced cookie consent in other GDPR countries might claim there is an ambiguity in the law around what counts as consent. But really the law is quite clear and the French interpretation should be a strong signal that other privacy authorities will reach a similar conclusion.
And yet, when I looked at 50 randomly chosen well-known websites, only 15 (30%) appear to comply with the EU/UK data privacy laws. Some of those sites which are compliant, such as ebay.co.uk[15], provide “Accept” and “Decline” buttons in the same banner. Others such as bbc.co.uk[16] make it more difficult to reject cookies but allow users to browse without consenting to them.
As many as 32 (64%) of the sites did not appear to comply with EU and UK cookies laws. These include Google, Facebook and Twitter, as well as other major businesses such as Ryanair[17] and the website of the Daily Mirror[18].
Twitter, for example, merely notifies the user of consent in a banner that states: “By using Twitter’s services, you agree to our cookies use”. Other companies, including Google and Facebook, hide the refuse/decline button in a second window. Still others, such as Ryanair, create a cookies wall where visitors may use the site only if they choose “Yes, I agree” or go to the “View cookies setting” to select their preferences.