Cookies crumbling as Google phases them out

2 min read Original article ↗

Meanwhile, researchers at the Massachusetts Institute of Technology, University College London (UCL) and Aarhus University have conducted a joint study into the use of cookies.

They analysed five companies which offer consent management platforms (CMP) for cookies used by the UK's top 10,000 websites.

Despite EU privacy laws stating that consent for cookies must be informed, specific and freely given, the research suggests that only 11.8% of the sites met the minimal requirements of GDPR (General Data Protection Regulation) law.

Instead they were found to blanket data consent options in complicated site design, such as:

  • pre-ticked boxes

  • "burying" decline buttons on later pages

  • multiple clicks

  • tracking users before consent and after pressing "reject"

Just over half the sites studied did not have "rejecting all" tracking as an option.

Of the sites which did, only 12.6% made it accessible through the same or fewer clicks as the option to "accept all".

Quantcast, the largest company analysed, typically asks for permission to share data with 542 different companies, explains study co-author Michael Veale, from UCL.

In response, the firm told the BBC: "Our default recommended settings grant equal prominence to the "I Accept" and "I Do Not Accept" buttons, and do not pre-select choices for any data processing purposes. While we strongly encourage that these defaults are used, website owners ultimately retain control over the customisation and presentation of their properties.

Crownpeak, another CMP provider, said that its default configuration was also set up to enforce prior consent.

The researchers estimate it would take, on average, more than half an hour to read through what the third-party companies are doing with your data, and even longer to read all their privacy policies.

"It's a joke and there's no actual way you could do this realistically," said Dr Veale.

"Consent should always have been a clear positive action, laws on tracking have been unenforced for a decade and the result is regulators not knowing where to start to cope with the scale of the widespread illegality."