We’ve all seen them on websites: consent notices for cookies. They pop up the first time you visit a site (and sometimes keep popping up on every visit). Most people click right through them without paying attention. What are they, why are they everywhere on the internet now, and do they actually matter?
A cookie notice on a US website that is complying with California’s CCPA will give you similar information about what the site is doing with cookies and what data they’re collecting, and it will allow you to opt-out of non-vital cookies, but if you ignore the popup – which you’re not allowed to do under the GDPR – it assumes you have agreed to cookies and lets you in. In other words, under the CCPA, cookies are opt-OUT and are set by default, while under the GDPR, they are opt-IN, and you have to agree to them. In both cases, you are required by regulation to have these notices, for them to be accurate and complete, and to enforce the wishes of your users.
What are they intended to accomplish?
The flaw in all of this is that people rarely read them. They’re a barrier between users and the content they want to see, and most users are in the habit of clicking “I agree” and dismissing them. Even as a privacy professional, I don’t read them during routine browsing. I click through like everyone else unless I have a specific reason to look at a consent. But they’re still there if I want to look,
What can go wrong?
First, the fact that people almost never read them does not mean that website owner can safely become complacent about the accuracy and completeness of their content. These notices may be ignored in normal use, but regulators or individuals can become very interested in them if something goes wrong, or if there’s an investigation and it turns out a business wasn’t complying with the regulations. They’d better be honest and complete. They are, after all, your company’s binding statement about what you do with users’ data.
One fairly common issue is that some websites start tracking visitors as soon as they hit the site – in other words before they fill out the consent. Under GDPR, that’s technically a problem if the user decides not to consent to tracking after all. There are several areas in the GDPR which data protection authorities have not been focusing on, including this one, but nobody wants to be a test case when a regulatory authority suddenly decides it’s time to take on an issue.
Another issue is that the web environment, especially on complex sites, is dynamic. The third parties present, and what they’re doing with the data, change over time. When these changes are authorized and well documented, automated privacy software (e.g. Osano) helps your site administrators stay on top of the environment and ensure that your notice and consents are up to date and complete. However, not all changes are well-documented, and the third-party ecosystem can change rapidly, so it’s also critical to have something in place like Lokker which gives you a complete listing of third (and downstream) parties in real-time and allows you to block sites it’s unsafe to send data to so you don’t inadvertently violate a consent.