With the GDPR, Internet users are supposed to be better informed and protected against widespread tracking. Except that in the absence of sanctions, Internet users find themselves fighting against intrusive and misleading consent banners. Here is an overview of the different bad practices.
Consider that browsing a site constitutes consent
It's a flaw introduced in 2013 by the CNIL, which noted at the time in its deliberation: "the continuation of its navigation constitutes agreement to the deposit of Cookies on its terminal".
With the GDPR, this flaw becomes difficult to justify and the CNIL is forced to move forward. After publishing new guidelines in July 2019 and opened a period of consultation with professionals, it has just presented a draft recommendation on practical arrangements for obtaining consent, open to public consultation until February 25. It indicates in particular: "the simple continuation of navigation on a website can no longer be regarded as a valid expression of consent to the deposit of cookies, which must now result from an unequivocal positive act of the Internet user".
Once the final recommendation is established, she will leave another 6 months stakeholders to comply with it before launching verifications.
Also, you might believe that browsing a site requires changing pages but this is not the case: the simple act of scrolling on the page makes the consent banner disappear and triggers your "acceptance of tracking".
Below, the site banners Lemonde.fr and Lefigaro.fr, both of whom adopt this technique. Note that to refuse, you must first go to “Configure cookies” or “Configure”, which is costly for the user.
Place cookies before even consent
If you read the previous paragraph carefully, you might believe that since 2013), you must "navigate" to a website so that it can place cookies (NB: not all cookies are affected, so cookies from certain analytics tools are exempt). Also, the CNIL reminds that it continues to control this obligation : "This adaptation period will not prevent the CNIL from fully monitoring compliance with other obligations which have not been subject to any modification and, where appropriate, from adopting corrective measures to protect the privacy of Internet users. In particular, operators must respect the prior nature of consent to the deposit of tracers."
What is it in reality? Let's surf the site Lefigaro.fr to understand the discrepancy.
- Disable your adblocker
- Delete cookies on Chrome (Settings > Advanced settings > Clear browsing data), so you are logged out of your Google account
- Open the Chrome console (⌘+Option+J on Mac, Ctrl, Shift and J on PC) or launch Charles
- Then go to lefigaro.fr
- Don't surf lefigaro.fr, but look at the different requests sent to third parties, it's a jungle
On the screenshot (Charles software), we can see that AppNexus, used as an adserver and SSP by Le Figaro (now called Xandr since its acquisition by AT&T), files a cookie with a unique identifier uuid2 (domain: adnxs.com). If we dig a little deeper, we can see other third-party cookies placed such as:
- Doubleclick: belongs to Google, it includes its advertising network and its advertising tools for publishers and advertisers
- Scorecardresearch: belongs to Comscore, advertising analysis company
- State: the Médiamétrie audience measurement
- Taboola: the links to stupid titles at the end of the article, which merged with its competitor Outbrain last year
- StickyAds: French video SSP, bought by the American Comcast
If the CNIL actually controlled the websites, it would have already sanctioned Lefigaro.fr (as well as the many other websites which do not comply with existing legislation).
Do not put the acceptance and refusal of cookies on the same level
This is a widespread bad practice on the web, as shown the study "Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework" of Celestin Matte, Natalia Bielova and Christina Santos, researchers at INRIA and illustrated on this excellent site and on this Twitter thread :
This illegal behavior is thus observed by researchers on 236 websites (out of the 1426 which contain a consent banner with the stamp of the IAB, the association of advertising players).
A another study "Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence" carried out on 10,000 English sites and recently published by Midas Nouwens, Michael Veale and David Karger shows that the design of these consent banners has considerable weight in the choice to consent or not. As one might expect, the more difficult the refusal, the more Internet users consent, as Midas Nouwens explains via this tweet :
One of the key points of the study: 93.1% of interactions are limited to the first page. Following several steps to refuse to be tracked is therefore too long and too complex for the vast majority of Internet users.
Let us illustrate this point with lemonde.fr, once again a bad student. Delete your cookies on Chrome and go to lemonde.fr. If you do not scroll, or change pages (which would be valid for accepting cookies), you must first click on "Configure cookies" (a button less valued than "Accept").
Then, to avoid the deposit of different categories of cookies, you must uncheck the 4 categories for which you have the choice and finally click on “Validate parameters”. In all, 6 clicks compared to just 1 to accept cookies: it is hardly surprising that the acceptance rate for cookies is high!
These CMPs (Consent Management Platforms) are few in number, observes Midas Nouwens: 5 companies cover 58% of the English market. It could therefore be more effective for the legislator to prohibit these companies from offering illegal configurations to publishers. As an Internet user, you can install the extension Firefox or Chromium Consent-o-Matic which automatically fills out these forms.
Not respecting the Internet user's choices when they do not consent
In order to publicize the study "Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework", Celestin Matte, Nataliia Bielova and Christiana Santos took the example of Radio France which did not offer the option to refuse consent on this tweet :
Note that Radio France uses the CMP (Consent Management Platform, the tool in charge of collecting consent and its proper transmission to the various players in the advertising chain) from Axel Springer, a huge German press group, which considers that targeted advertising falls into the box “legitimate interest” and therefore does not need to ask users for consent.
Since then, Radio France's CMP has been updated, users can therefore make the effort to refuse different categories of cookies, but these choices do not seem to be correctly recorded... Let's look at the cookies placed before even configuring the site's consent banner franceinter.fr.
We have the same problem here as on the site lefigaro.fr, many third-party advertisers are called, even before the user has consented. If we look in detail, it is 2 iframes launched by Google advertising solutions which are responsible for the data leak to various advertising third parties: tpc.googlesyndication.com & pagead2.googlesyndication.com. These are iframes triggered by the publisher ad server and the Google SSP of which France Inter is a customer: Google Ad Manager (formerly part of Doubleclick).
Now, if we decide to deactivate everything (refuse tracking), we can see thanks to Cookie Glasses Chrome extension from the research team that consent is still granted to all third parties, even if it is not granted specifically for any category of cookies.
And if we then surf on different pages of the franceinter.fr site, it seems that the refusal has changed nothing: we continue to be tracked by numerous third parties (during my test: Doubleclick, Quantcast, BidSwitch, OpenX, MediaMath).
The advertising ecosystem has several problems with consent:
- Advertising players should not be able to place cookies with an advertising identifier if they have not received consent from the Internet user. However, these are still very much in line with Google's strategy which is not to serve personalized advertising if there is no consent but to continue to track the Internet user across the web, to serve contextual advertisements and to measure the performance of these advertisements. More precisely: to my knowledge, no advertising tool works “without depositing user identifier cookies”.
- Unlike other tools used by publishers (analytics, social networks, e-Commerce, etc.), advertising tools call each other. Thus the publisher (France Inter) using the Google Ad Manager adserver & SSP (direct relationship), will find itself displaying on its site advertisements distributed by multiple third parties with whom it has no direct relationship (whether in RTB or direct sales elsewhere). To distribute their advertising, these third-party actors will use a DSP (purchasing platform), an adserver (distribution and measurement tool), a tool to measure visibility (is the ad displayed on the screen or is it hidden?), a tool to measure fraud (who is behind the screen, a real user or a bot?), etc. This explains the growing lists of actors who request consent, and the lack of control of publishers who distribute advertising.
- Additional annoyance, France Inter uses Google's adserver & SSP, tools which still do not communicate the consent chain to third-party advertising players, because Google is not yet part of “IAB Transparency and Consent Framework”. This protocol was developed by the IAB TechLab, an association of advertising players responsible for establishing technical standards, in order to comply with the GDPR (after multiple postponements, Google plans to adopt v2 of the Framework at the end of the first quarter).
Can publishers comply with GDPR?
Yes, but if they are dependent on advertising to live, compliance with the law is binding:
- Putting the acceptance and refusal of cookies on the same level will result in a high refusal rate.
- Also, the "solution" put in place by the IAB to comply with the GDPR, the Transparency and Consent Framework (TCF), by its architecture, does not block cookies or calls to third-party tags, it does not allow publishers to control what happens on their sites. Read about it “Mechanisms and (r)pitfall of consent” by Benjamin Poilvé, Engineer serving technological expertise at the CNIL.
- If the Internet user refuses cookies, the advertising ecosystem being not at all ready for a world without cookies, the proper solution would be not to broadcast advertising (the client's "tag manager", the tool deciding on the activation of the tags, should then deactivate the advertising tags).
The advertising ecosystem nevertheless risks having to adapt forcefully because after Safari, Firefox and Brave, Chrome should soon no longer allow third-party cookies to be placed (within 2 years according to leur annonce).