Cookie consent is all about privacy legislation. It is designed to allow users to choose what can be stored and retrieved from their device. In Europe, it was adopted into law in 2011 and strengthened with the privacy requirements of the GDPR. Many websites do a good job of handling this when users hit their website.
However, not everyone likes it. Many see it as impacting their ability to monetise their websites through partnerships with advertisers and other data aggregators. Websites in Europe are expected to allow users to reject being tracked by third parties. Some websites do a good job of this but others, it now transpires, deliberately mislead their visitors.
In a statement, Gaëtan Goldberg, Data Protection Lawyer at nyob, wrote: “As if the annoying cookie banners using dark patterns to force people to consent were not enough, the current system allows webpages to simply ‘fake’ the consent of users. It appears that no one in this system ensures that users have actually agreed to being tracked. It is outrageous that webpages simple replace a ‘no’ with ‘yes’ to be able to sell our data. We hope the CNIL will rapidly take action.”
Three major French websites outed for cookie consent deceit
To see how well websites were doing when it comes to cookie consent, noyb ran tests using the Cookie Glasses browser extension. It found that three large French websites were ignoring user tracking opt-outs. In fact, they were doing more than ignoring, they were actively sending tracking messages to third parties. This means that users were being tracked without knowing it.
The offending websites are eCommerce page CDiscount, movie guide page Allocine.fr and the fashion magazine Vanity Fair. Each of these websites misled users into thinking they were opting out. Irrespective of what the visitors did, the websites sent fake consent messages to all of the tracking companies. The result is that those companies installed tracking cookies on the users machines.
The number of fake consents per website is:
- CDiscount – 431
- Allocine – 565
- Vanity Fair – 375
IAB Europe failing website visitors
Compounding the issue is the role of the Interactive Advertising Bureau. It is the industry body that publishes the transparency & consent framework for the digital marketing and advertising industry.
nyob suggests that the IAB is failing in its role. The IAB framework does no checking on what the user actually requested. This means that the website can send whatever message it likes to the tracking companies. It does raise the question of what is the point of the IAB framework? Why is it not designed to verify the user consent rather than rely on the website owner? After all, the latter has a vested interest in setting tracking consent to yes.
IAB Europe refutes noyb claim
Enterprise Times contacted IAB Europe to ask for their response to the noyb press release. Townsend Feehan. CEO, IAB Europe responded saying:
“The noyb.eu press release and complaints erroneously suggest that IAB Europe’s Transparency & Consent Framework (TCF) is designed to enable “fake consent” signals to be sent throughout the digital advertising ecosystem. On the contrary, the TCF policies and technical specifications were created precisely to ensure that the types of behaviour detected by the INRIA research project, do not occur.
“TCF policies explicitly require that signals generated under the framework accurately reflect all user choices and that such signals are collected, logged and transmitted in accordance with what is required under the GDPR. Where publishers implement TCF-compliant consent management platforms (CMPs), the generation of any signals prior to informing the user and the user expressing their choices with regard to the processing of their data is forbidden. Hence, as a tool which strives to help the digital advertising industry comply with data privacy requirements, the TCF should be seen as part of the solution and not part of the problem.
“IAB Europe believes that the research conducted by INRIA illustrates the value of a standardised solution such as the TCF in enabling enforcement authorities to hold data controllers accountable. We hope that the CNIL will use this opportunity to encourage market players to embrace this open-source, cross-industry standard going forward, and invite Mr. Schrems as well as the INRIA research team, to engage in a dialogue with us about how the TCF can be used to deliver on the requirements of the GDPR.”
Enterprise Times: What does this mean
Data is everything to advertisers. Without it they don’t know who to target their products at. It is so important that many US websites will no longer allow European users to connect because they don’t want to allow them to opt-out of data gathering.
The problem for users is that advertisers are grabbing so much data that there is no privacy left. Visit a healthcare site and within minutes Facebook is offering you ads based on what you just looked up. Look at a car website and your inbox and social media is suddenly full of adverts for everything to do with vehicles.
To protect consumers, the EU introduced the Cookie Law in 2011 and strengthened it with the GDPR. Given the penalties for GDPR failure, it might seem reasonable that companies would obey the law. What noyb has found is that very large websites are not just failing to meet the law but actively misleading visitors.
It is highly likely that the CNIL will hit all three sites with significant fines. What will then be important is whether those sites appeal or accept the fines and fix their websites. Despite its denial, the IAB Europe is also likely to come under scrutiny for the role of its framework in all of this. These cases will shine a very bright light onto how it polices the way its framework functions.