Collecting consent on the internet: a widespread lie

With the GDPR, internet users are supposed to be better informed and better protected against widespread tracking. Except that, without sanctions, they are left fighting intrusive and misleading consent banners. Here is an overview of the different bad practices.

Treating browsing as consent

This is a loophole introduced by the CNIL in 2013, when it stated in its deliberation that "continuing to browse constitutes agreement to cookies being placed on the user's device".

With the GDPR, this loophole becomes difficult to justify, and the CNIL is forced to move forward. After publishing new guidelines in July 2019 and opening a consultation period with professionals, it has just presented a draft recommendation on practical methods for obtaining consent, open to public consultation until February 25. In particular, it states that "simply continuing to browse a website can no longer be regarded as a valid expression of consent to the placing of cookies, which must now result from an unequivocal positive action by the user".

Once the final recommendation is established, the CNIL will give stakeholders another 6 months to comply before launching checks.

You might also think that browsing a site means changing pages, but that is not the case: simply scrolling down the page makes the consent banner disappear and triggers your "acceptance of tracking".

Below are the banners on Lemonde.fr and Lefigaro.fr, both of which use this technique. Note that to refuse, you must first go through “Configure cookies” or “Configure”, which creates friction for the user.

headband_consent_Lemonde

headband_consent_Lefigaro

Placing cookies before consent

If you read the previous paragraph carefully, you might think that, since 2013, you must "browse" a website before it can place cookies (note: not all cookies are affected, since cookies from certain analytics tools are exempt). The CNIL also reminds everyone that it continues to enforce this obligation: "This adaptation period will not prevent the CNIL from fully monitoring compliance with other obligations which have not been subject to any modification and, where appropriate, from adopting corrective measures to protect users' privacy. In particular, operators must respect the prior nature of consent to the deposit of tracers."

What actually happens? Let's browse Lefigaro.fr to understand the discrepancy.

Disable your ad blocker
Delete cookies in Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account
Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC) or launch Charles
Then go to lefigaro.fr
Do not browse lefigaro.fr; just look at the different requests sent to third parties. It is a jungle.

lefigaro_without_consent

In the screenshot (from Charles), we can see that AppNexus, used as an ad server and SSP by Le Figaro (now called Xandr since its acquisition by AT&T), places a cookie with a unique identifier, uuid2 (domain: adnxs.com). If we dig a little deeper, we can see other third-party cookies being placed, such as:

Doubleclick: owned by Google, including its advertising network and its advertising tools for publishers and advertisers
Scorecardresearch: owned by Comscore, an advertising analytics company
eStat: Médiamétrie's audience measurement tool
Taboola: the links with stupid headlines at the end of articles, which merged with its competitor Outbrain last year
StickyAds: French video SSP, bought by the American company Comcast

If the CNIL actually checked websites, it would already have sanctioned Lefigaro.fr (as well as many other websites that do not comply with existing law).

Not putting cookie acceptance and refusal on the same level

This is a widespread bad practice on the web, as shown by the study "Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework" by Celestin Matte, Natalia Bielova and Christina Santos, researchers at INRIA, and illustrated on this excellent site and in this Twitter thread:

Tweet_Nataliia_Bielova

Researchers observed this illegal behavior on 236 websites (out of the 1426 that contain an IAB-stamped consent banner, the IAB being the association of advertising players).

Another study, "Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence", carried out on 10,000 English-language sites and recently published by Midas Nouwens, Michael Veale and David Karger, shows that the design of these consent banners has considerable weight in the decision to consent or not. As one might expect, the harder refusal is, the more users consent, as Midas Nouwens explains in this tweet:

Tweet_Midas_Nouwens

One of the key points of the study: 93.1% of interactions are limited to the first page. Having to go through several steps to refuse tracking is therefore too long and too complex for the vast majority of users.

Let's illustrate this point with lemonde.fr, once again a poor performer. Delete your cookies in Chrome and go to lemonde.fr. If you do not scroll or change pages (which would count as accepting cookies), you must first click on "Configure cookies" (a button less prominent than "Accept").

bandeau_consentement_Lemonde.fr

Then, to prevent different categories of cookies from being placed, you must uncheck the 4 categories for which you are given a choice and finally click on “Validate parameters”. In all, 6 clicks compared with just 1 to accept cookies: it is hardly surprising that cookie acceptance rates are high!

Lemonde_refuse_cookies

These CMPs (Consent Management Platforms) are few in number, as Midas Nouwens observes: 5 companies cover 58% of the English market. It could therefore be more effective for lawmakers to ban these companies from offering illegal configurations to publishers. As a user, you can install the Firefox or Chromium extension Consent-o-Matic, which automatically fills out these forms.

Not respecting users' choices when they refuse consent

To publicize the study "Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework", Celestin Matte, Nataliia Bielova and Christiana Santos used the example of Radio France, which did not offer an option to refuse consent, in this tweet:

Tweet_Nataliia_Bielova_Radio_France

Note that Radio France uses the CMP (Consent Management Platform, the tool responsible for collecting consent and transmitting it properly to the various players in the advertising chain) from Axel Springer, a huge German press group, which considers that targeted advertising falls under “legitimate interest” and therefore does not need to ask users for consent.

Since then, Radio France's CMP has been updated, so users can now make the effort to refuse different categories of cookies, but these choices do not seem to be recorded correctly... Let's look at the cookies placed before even configuring the consent banner on franceinter.fr.

France_Inter_before_consent

We have the same problem here as on lefigaro.fr: many third-party advertisers are called even before the user has consented. Looking more closely, 2 iframes launched by Google's advertising solutions are responsible for the data leak to various advertising third parties: tpc.googlesyndication.com & pagead2.googlesyndication.com. These are iframes triggered by the publisher ad server and Google SSP used by France Inter: Google Ad Manager (formerly part of Doubleclick).

Now, if we decide to deactivate everything (refuse tracking), we can see, thanks to the research team's Cookie Glasses Chrome extension, that consent is still granted to all third parties, even if it is not granted specifically for any category of cookies.

France Inter Negative consent

And if we then browse different pages of franceinter.fr, the refusal seems to have changed nothing: we continue to be tracked by numerous third parties (during my test: Doubleclick, Quantcast, BidSwitch, OpenX, MediaMath).

France Inter Negative consent

The advertising ecosystem has several problems with consent:

Advertising players should not be able to place cookies with an advertising identifier if they have not received consent from the user. However, this still fits Google's strategy very well: if there is no consent, do not serve personalized advertising, but continue tracking the user across the web in order to serve contextual ads and measure their performance. More precisely: to my knowledge, no advertising tool works “without placing user identifier cookies”.
Unlike other tools used by publishers (analytics, social networks, e-commerce, etc.), advertising tools call one another. Thus a publisher (France Inter) using Google Ad Manager's ad server & SSP (a direct relationship) will find itself displaying ads on its site that are served by multiple third parties with which it has no direct relationship (whether through RTB or direct sales elsewhere). To serve their ads, these third-party actors will use a DSP (buying platform), an ad server (delivery and measurement tool), a tool to measure viewability (is the ad displayed on screen or hidden?), a fraud measurement tool (who is behind the screen, a real user or a bot?), etc. This explains the growing lists of actors requesting consent, and the lack of control publishers have when they distribute advertising.
One more annoyance: France Inter uses Google's ad server & SSP, tools that still do not communicate the consent chain to third-party advertising players, because Google is not yet part of the “IAB Transparency and Consent Framework”. This protocol was developed by IAB TechLab, an association of advertising players responsible for establishing technical standards, in order to comply with the GDPR (after multiple postponements, Google plans to adopt v2 of the Framework at the end of the first quarter).

Can publishers comply with GDPR?

Yes, but if they depend on advertising to survive, complying with the law is restrictive:

Putting cookie acceptance and refusal on the same level will lead to a high refusal rate.
Also, the "solution" put in place by the IAB to comply with the GDPR, the Transparency and Consent Framework (TCF), does not, by design, block cookies or calls to third-party tags; it does not allow publishers to control what happens on their sites. Read “Mechanisms and (r)pitfall of consent” by Benjamin Poilvé, engineer in the CNIL's technology expertise team, on this subject.
If the user refuses cookies, since the advertising ecosystem is not at all ready for a cookieless world, the proper solution would be not to serve advertising (the client's "tag manager", the tool deciding whether tags are activated, should then deactivate the advertising tags).

The advertising ecosystem nevertheless risks being forced to adapt because, after Safari, Firefox and Brave, Chrome should soon no longer allow third-party cookies to be placed (within 2 years, according to its announcement).