Cookie Consent Notices: Why They Matter & What to Watch For

Cookie consent banners

We’ve all seen them on websites: consent notices for cookies. They pop up the first time you visit a site (and sometimes keep popping up on every visit). Most people click right through them without paying attention. What are they? Why are they everywhere on the internet now? Do they actually matter?

Cookie consent banners and notice elements appear in windows that pop into the foreground of the screen as soon as you access a website. You’ll mostly see them on European and UK websites because they’re required by the GDPR (they’re really required by the ePrivacy Directive, but GDPR governs how sites obtain consent). They tell you what the website does with cookies, which companies they share data with, and what data they’re collecting.

They are also required to tell you that you have the right to refuse cookies (except for the ones which are necessary to operate the website).

Consent options

Most cookie notices will have an option to see a detailed list of organizations that set cookies on the site. They should also allow you to choose which cookies you agree to accept. Normally, you have to tell the site whether you consent to cookies or not before you access the site. (You also get access to other privacy-related information, but we’ll talk about that another time.)

A cookie notice on a US website that is complying with California’s CCPA will give you similar information about what the site is doing with cookies and what data they’re collecting. They will allow you to opt-out of non-vital cookies, but if you ignore the popup – which you’re not allowed to do under the GDPR – it assumes you have agreed to cookies and lets you use the website.

In other words, under the CCPA, cookies are opt-OUT and are set by default, while under the GDPR, they are opt-IN, and you have to agree to them. In both cases, you are required by regulation to have these notices, ensure they are accurate and complete, and that they are enabled to enforce the privacy wishes of your users.

What are they intended to accomplish?

A fundamental principle of privacy is that individuals have a right to know what’s being done with their personal information, why, and by whom.

That’s what these cookie consents are intended to do concerning the use of cookies and other tracking information by a website. They are designed to explain, in clear and concise language, all of those points and (under GDPR) allow the user to decide which cookies they consent to, if any. Under CCPA, cookie consent notices are designed to allow users the opportunity to opt-out if they choose.

The information the website provides is legally expected to not only be presented clearly for a non-technical audience but also to be accurate and complete. If it fails on those points, the organization which operates the website can face fines (which under GDPR can be exceptionally large).

The flaw in all of these designed processes is that people rarely read them.

They’re seen as simply a barrier between users and the content they want to see. Most users are in the habit of clicking “I agree” and dismissing them from so many other forms of online agreements we have become accustomed to – not reading. Even as a privacy professional, I don’t read them during routine browsing. I click through like everyone else unless I have a specific reason to look at a consent. But they’re still there if I want to look, and that is one of the main transparency and disclosure points.

What can go wrong?

First, the fact that people almost never read them does not mean that website owners can safely become complacent about the accuracy and completeness of their content. These notices may be ignored in normal use, but regulators or individuals can become very interested in them if something goes wrong, or if there’s an investigation and it turns out a business wasn’t complying with the regulations. Your consent notices had better be honest and complete. They are, after all, your company’s binding statement about what you do with users’ data.

One fairly common issue is that some websites start tracking visitors as soon as they hit the site – in other words before they fill out the consent.

Under GDPR, that’s technically a problem. If a user decides not to consent to tracking, you shouldn’t begin tracking in the first place. There are several areas in the GDPR which data protection authorities have not been focusing on, including this one, but nobody wants to be a test case when a regulatory authority suddenly decides it’s time to take on an issue.

Another issue is that web environments, especially on complex sites, are dynamic. The third parties present, and what they’re doing with the data, change over time.

When these changes are authorized and well documented, automated privacy software like Osano helps your site administrators stay on top of the environment and ensure that your cookie notice and consents are up to date and complete. However, not all changes are well-documented, and the third-party ecosystem can change rapidly, so it’s also critical to have something in place like Lokker which gives you a complete listing of third (and downstream) parties in real-time while allowing you to block sites seen as unsafe to send data to – so you don’t inadvertently violate a consent.

 

Author:
J.D., CISSP, CIPM, CIPP/E, FIP. Expertise in law, technology, information security, data privacy, healthcare analytics, and healthcare. Develops privacy and security programs; collaborates across the company to deliver creative solutions while ensuring the privacy and security of data. Passionate about creating a culture where all employees understand the importance of handling data correctly, recognize and speak up about potential issues, and are actively engaged in the process. Experience with Privacy Regulations (HIPAA, GDPR, CCPA etc.), Formal Certifications (ISO, SOC, HITECH, EHNAC), and De-Identification of Data.