I looked at the data collection habits of 50 popular websites – and the results aren’t good

The owners of Google and Facebook were both heavily sentenced for illegal use of cookies at the end of 2021 by the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). On the French versions of Google, its sister platform YouTube and Facebook, users were asked to consent to cookies in such a way that it was much easier for them to accept than to reject the request. They could accept cookies with one click but there was a more laborious process to refuse them.

Google owner Alphabet was fined €150m (£125m) and Facebook owner Meta was fined €60m. Alphabet was fined more because its violations affected more people and it had gotten into trouble for violations in the past. The two companies also had three months to modify their systems to make it as easy for users to reject cookie requests.

Meta and Alphabet have yet to comply, although they have until April to do so. The law in the UK and the rest of the EU is also the same as in France, so it will be interesting to see what they do in those jurisdictions as well.

In the meantime, I looked at what many other companies were doing and found that many were still collecting data using cookies in the same way. So what’s going on?

Cookie Laws and Workarounds

Cookies are small text files stored by websites on our Internet browsers, which allow the website to collect information about us. Some cookies are necessary for us to be able to navigate the site in question – for example, to add items to a shopping basket.

More contentious cookies track a user’s browsing behavior. There are first-person cookies, where the site in question tracks user behavior to offer them relevant products; and third-party cookies, where done by another company to enable others to advertise to the user instead – the classic example is Google Ads.

Cookies collect so much information that it is usually more than enough to identify the person behind the device. Apart from visits to particular web pages, they can also record a person’s search queries, goods or services purchased, IP address and exact location.

From this it is possible to deduce a person’s name, nationality, language, religion, sexual orientation and other intimate details – most of which are special categories of personal data that cannot be processed without the individual’s explicit consent under the EU ePrivacy Directive and the EU and UK General Data Protection Regulation (GDPR).

The GDPR requires that this consent be specific, informed, unambiguous and freely given – requiring affirmative action on the part of the user. Unfortunately, that doesn’t give us much protection.

Websites have used various methods to circumvent the requirements. Most cookie consent requests were previously presented with pre-selected checkboxes that, by default, prompted individuals to accept cookies on their devices. In 2019, the Court of Justice of the European Union (CJEU) ruled that websites could no longer do this, as it circumvented the positive action requirement of the GDPR. But the value of the data that can be collected using cookies is such that websites have simply opted for different workarounds.

The popular option is the one that saw Facebook and Google sanctioned by the CNIL in France. The CNIL basically said that when it comes to denying consent to cookies, two clicks is too many: it meant people were pressured into consenting, and was therefore against the GDPR’s free consent requirement. This probably explains why, according to a 2020 experimental study of users who lived in the EU, 93% accepted cookies, even though they had a second window to manage them.

The larger problem

The French interpretation of the GDPR does not bind UK courts, the CJEU or other regulators in Europe. So, once the CNIL’s three-month deadline has passed, websites with similar unbalanced cookie consent in other GDPR countries could argue that there is ambiguity in the law about what counts as consent. But in reality, the law is quite clear and the French interpretation should be a strong signal that other privacy authorities will come to a similar conclusion.

And yet, when I looked at 50 randomly chosen well-known websites, only 15 (30%) seemed to comply with EU/UK data privacy laws. Some of these compliant sites, such as ebay.co.uk, offer “Accept” and “Reject” buttons in the same banner. Others, like bbc.co.uk, make it harder to refuse cookies but allow users to browse without consent.

As many as 32 (64%) of the sites did not appear to comply with EU and UK cookie laws. These include Google, Facebook and Twitter, as well as other big companies such as Ryanair and the Daily Mirror website.

Twitter, for example, simply notifies the user of their consent in a banner stating: “By using Twitter’s services, you agree to our use of cookies”. Other companies, including Google and Facebook, hide the decline/decline button in a second window. Still others, like Ryanair, create a cookie wall where visitors can only use the site if they choose “Yes, I agree” or go to “View cookie settings” to select their preferences.

Image: Ryanair website

There were three other websites where it was unclear or borderline whether they complied with the rules. Spotify, like the BBC, has a typical cookie banner but allows users to browse without accepting cookies. But its cookie banner covers half of the device screen. This reduces the quality of the user’s browsing experience and could potentially be considered a coercive practice.

The failure of big tech companies to follow cookie laws suggests that millions of citizens are likely having their personal data illegally collected. It’s hard not to wonder if some companies knowingly break the rules because they generate so much revenue from their cookies that it’s worth risking a privacy breach penalty.

They can also bet that the relevant authorities are too underfunded or understaffed to enforce the rules. For example, a recent report by the Dutch Ombudsman pointed out that the competent authority in that country had 9,800 unresolved privacy complaints at the end of 2020. And according to the Irish Council for Civil Liberties, “almost all (98%) major GDPR cases referred to Ireland remain unresolved” – partly due to a lack of budget and sufficient specialist staff. The situation is unlikely to be radically different in other EU countries.

If the UK and EU are serious about protecting citizens’ privacy, they need to change the rules to be more specific about what a consent window should look like, and run information campaigns to make citizens understand that the refusal of consent can in no way limit their browsing experience. They should also allocate the necessary resources to enforce the rules. Only then will the laws surrounding these little-known tools for collecting our data be fit for purpose.


We asked Meta, Alphabet, Ryanair, Twitter and the Daily Mirror editor Reach if they would like to comment. Reach dwindled and Alphabet, Twitter and Ryanair did not respond. Meta said:

We examine the [CNIL’s] decision and remain committed to working with the relevant authorities. Our cookie consent controls give users greater control over their data, including a new settings menu on Facebook and Instagram where users can review and manage their decisions at any time, and we continue to develop and improve these controls .The conversation

This article by Asress Adimi Gikay, Lecturer in Artificial Intelligence, Disruptive Innovation and Law, Brunel University London, is republished from The Conversation under a Creative Commons license. Read the original article.

Comments are closed.