We’ve all seen them on websites: consent notices for cookies. They pop up the first time you visit a site (and sometimes keep popping up on every visit). Most people click right through them without paying attention. What are they, why are they everywhere on the internet now, and do they actually matter?

Cookie consents appear in windows that pop into the foreground of the screen as soon as you access a website. You’ll mostly see them on European and UK websites because they’re required by the GDPR (they’re really required by the ePrivacy Directive, but GDPR governs how sites obtain consent). They tell you what the website does with cookies, which companies they share data with, what data they’re collecting, and that you have the right to refuse cookies (except for the ones which are necessary to operate the website). They’ll have an option to see a detailed list of organizations that set cookies on the site and choose which cookies you’ll accept. You have to tell the site whether you consent to cookies or not before you access the site. (You also get access to other privacy-related information, but we’ll talk about that another time.)

A cookie notice on a US website that is complying with California’s CCPA will give you similar information about what the site is doing with cookies and what data they’re collecting, and it will allow you to opt-out of non-vital cookies, but if you ignore the popup – which you’re not allowed to do under the GDPR – it assumes you have agreed to cookies and lets you in. In other words, under the CCPA, cookies are opt-OUT and are set by default, while under the GDPR, they are opt-IN, and you have to agree to them. In both cases, you are required by regulation to have these notices, for them to be accurate and complete, and to enforce the wishes of your users.

What are they intended to accomplish?

A fundamental principle of privacy is that individuals have a right to know what’s being done with their personal information, why, and by whom. That’s what these cookie consents are intended to do concerning the use of cookies and other tracking information by a website – explain, in clear and concise language, all of those points and (under GDPR) allow the user to decide which cookies they consent to, if any, or (under CCPA) allow them the opportunity to opt-out if they choose. The information the website provides is legally expected to not only be presented clearly for a non-technical audience but also to be accurate and complete. If it fails on those points, the organization which operates the website can face fines (which under GDPR can be exceptionally large).

The flaw in all of this is that people rarely read them. They’re a barrier between users and the content they want to see, and most users are in the habit of clicking “I agree” and dismissing them. Even as a privacy professional, I don’t read them during routine browsing. I click through like everyone else unless I have a specific reason to look at a consent. But they’re still there if I want to look,

What can go wrong?

First, the fact that people almost never read them does not mean that website owner can safely become complacent about the accuracy and completeness of their content. These notices may be ignored in normal use, but regulators or individuals can become very interested in them if something goes wrong, or if there’s an investigation and it turns out a business wasn’t complying with the regulations. They’d better be honest and complete. They are, after all, your company’s binding statement about what you do with users’ data.

One fairly common issue is that some websites start tracking visitors as soon as they hit the site – in other words before they fill out the consent. Under GDPR, that’s technically a problem if the user decides not to consent to tracking after all. There are several areas in the GDPR which data protection authorities have not been focusing on, including this one, but nobody wants to be a test case when a regulatory authority suddenly decides it’s time to take on an issue.

Another issue is that the web environment, especially on complex sites, is dynamic. The third parties present, and what they’re doing with the data, change over time. When these changes are authorized and well documented, automated privacy software (e.g. Osano) helps your site administrators stay on top of the environment and ensure that your notice and consents are up to date and complete. However, not all changes are well-documented, and the third-party ecosystem can change rapidly, so it’s also critical to have something in place like Lokker which gives you a complete listing of third (and downstream) parties in real-time and allows you to block sites it’s unsafe to send data to so you don’t inadvertently violate a consent.