We need to fix GDPR’s biggest failure: broken cookie notices

The user experience of browsing the web is worse than ever. Even if you only spend a tiny amount of time online, it’s impossible to escape cookie consent notices. They’re the intrusive banners and blocks that appear each time you visit a new website that collects data about you through cookies. Each is asking the same question: will you allow this website to collect your information?
The spread of these cookie notices is down to European legislation. A combination of GDPR and how it altered the ePrivacy Directive forced pretty much every site on the web to ensure people in Europe clicked ‘allow’.


The legal changes were meant to make understanding web tracking easier for everyone. But two years after the arrival of GDPR, cookie consent notices are a blight on the web. Researchers have found that they use dark patterns to trick people into clicking ‘yes’, with a lack of enforcement against websites that don’t comply with the rules – and a general lack of awareness of what the cookie notices are meant to achieve – creating a real mess.
“Usually people click to get it away because it’s really big on the screen,” says Estelle Massé, a senior policy analyst and global data protection lead at non-profit internet advocacy group Access Now. “You want to move on. You don’t actually read what is happening, you don’t actually know what you’re consenting to. It’s not really helpful as a tool.”
Cookie notices come in all shapes and sizes – however, they largely work in the same way. They’re in place to ask people to provide their consent for the website they’re visiting to collect information about them. On your phone, laptop or tablet, cookies exist as strings of text that contain information. The cookies are stored by web browsers and communicated with the servers of a website each time it is accessed. Often cookies exist as identifiers – a code that’s unique to you.
The types of information websites collect through cookies depends on what they do – an online clothes shop will gather different information than a news website, for instance. Cookies can collect information that helps websites to function, such as those that detect spam and the servers that are being accessed, or other information that can lead to personalisation and targeted advertising. A website can detect the online identifiers given to you by Google or Facebook’s advertising infrastructure, helping to determine your interests based on your browsing history and present adverts that you may be more likely to click on.


The introduction of GDPR caused a huge spike in cookie consent notices across the web. The legislation changed the definition of consent within the ePrivacy Directive, which was created almost two decades ago to manage digital privacy, and ultimately made websites move to a cookie setup where a user has to click to say they allow cookies to be collected on their device. (Pre-ticked consent boxes do not count as a way to obtain consent for cookies, European courts have ruled).
According to research published in October 2019, following the adoption of GDPR more than 60 per cent of popular websites in Europe show cookie consent notices. Two of the authors behind the research, Christine Utz and Martin Degeling from Ruhr-University Bochum, Germany, say the percentage has likely increased since they completed their research and the detail that websites provide in cookie consent notices has improved.
Their research paper looked at the different positions of cookie notices on websites (people are most likely to interact with a notice in the lower left of the screen), the choices offered and the wording of notices. “Given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually,” the paper says. “We also show that the widespread practice of nudging has a large effect on the choices users make.”
Cookie consent notices can show a bewildering array of options. On some websites the accept all cookies option is highlighted in a larger font or more eye-catching colour. They’re often configured to get people to accept everything without pausing to consider their choices. “Most people just click whatever button is bigger or brighter,” Degeling says. “Most of the websites still try to use dark patterns to get people to accept all cookies,” Utz adds.


A report by the Irish Data Protection Commission published at the start of April looked at 40 different websites and how they use cookie consent notices – the results weren’t particularly positive. A quarter of the websites had pre-ticked consent boxes, around half admitted they may not meet the rules required by GDPR and the ePrivacy Directive. “It is our view that almost all of the sites continue to have compliance issues, ranging from minor to serious,” the Commission said. Work started on creating a revised ePrivacy Directive, the ePrivacy Regulation, to sit alongside GDPR in 2017 but has massively stalled, facing heavy lobbying from the advertising industry and political negotiations. (“It’s been more lobbied against and complex than the GDPR,” says Massé).
The vast majority of cookie notices that appear on websites aren’t created by the sites. Instead they’re made by consent management platforms (CMP). These companies produce systems that can be integrated into existing websites and allow the overall cookie consent process to be made simpler for site creators. In total five firms – QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak – cover 58 per cent of the UK’s top 10,000 websites, researchers from Aarhus University in Denmark, MIT and University College London, found. (Condé Nast Britain, the publisher of WIRED, uses OneTrust).
What is GDPR? The summary guide to GDPR compliance in the UK

Many of the tools from these companies use a framework created by the Interactive Advertising Bureau Europe (IAB Europe) – the body says more than 650 organisations, including those CMPs with thousands of customers, use its setup. IAB’s legal director for privacy, Filip Sedefov, estimates its framework (TCF) is “currently being implemented by hundreds of thousands of websites across the European Union and in over a third of the programmatic advertising traffic to and from EU-based publishers and other websites”.
The latest version of the framework has attempted to help standardise the language and ways that people are presented with cookie notices. “Widespread standardisation and consistency across sites and apps in terms of legally required disclosures provided by TCF ensures a positive user experience,” Sedefov says. “The user does not have to learn new terms, or comprehend a new set of choices each time, but has assurance that there is a well-understood set of rules that apply uniformly to their data, whichever TCF participant may be processing it.”
This had led to websites offering more granularity when people do click through to cookie consent options. A common setup lets people turn off (or on) cookie categories. These categories can include cookies that are necessary, those intended to help shape preferences, provided for statistics, marketing and advertising, and in some cases cookies are grouped into “unclassified” categories.
However, Midas Nouwens, a digital rights academic from Aarhus University, says this granularity isn’t useful as most people don’t understand what they are agreeing to. “Most people’s experience of the GDPR is these pop ups, which are annoying, and frustrating and don’t really give us any meaningful sense of control,” Nouwens says. The Irish regulator agrees. Its report says: “Many controllers categorised the cookies deployed on their websites as having a ‘necessary’ or ‘strictly necessary’ function, where the stated function of the cookie appeared to meet neither of the two consent exemption criteria set down in the ePrivacy Regulations/ePrivacy Directive.”
For their study, Nouwens and his colleagues scraped the UK’s top 10,000 websites for the cookie consent notices they had deployed and found the vast majority weren’t following the rules. “We found that 88.2 per cent of them were configured illegally,” he says. “The way the test was designed was quite a generous way of looking at it because we only looked at the things that could be processed automatically rather than things that would need some more qualitative analysis.” In general, most consent notices were meaningless or used “dark patterns” to push people towards accepting all tracking. Some research has found that even when people do make choices, websites can ignore them.
However, crackdowns on websites not following cookie rules are almost non-existent. While central European bodies have issued guidance on cookie consent – including at the start of May – action has to be taken by individual data protection authorities. Several data protection authorities have issued guidance but there has been a lack of fines for those infringing the rules. (Self-regulation systems, such as the browser-based Do Not Track, have largely failed as websites have not honoured their voluntary nature).
The only GDPR fine against a website not displaying cookies properly has come from Spain. One of the country’s budget airlines was fined €30,000 (£26,000) when the data protection body, the Agencia española de protección de datos (AEPD), found it didn’t offer people enough control over cookies. In a subsequent decision, the AEPD said websites in Spain should provide granular controls. A spokesperson for the European Data Protection Board confirmed it has not taken any position on dark patterns, adding that it is aware of the issue and that its members were looking at ongoing developments.
All the researchers spoken to for this article said more regulation of GDPR was needed. Nouwens says any real change must come from individual governments, the EU and businesses. “We want to move towards a place where websites use privacy by design and by default – so that by default they don’t track us and we’re the one deciding when trackers are in place and when they’re not,” Massé says.
Ultimately, there’s little people can do to take back control. “What can users really do? It’s very little because these are systemic issues,” Nouwens says. “I don’t think it should be personal responsibility. I don’t think this solution lies in people becoming more informed, or people having to spend more time on each website, clicking on things.”
There are some options though. Increasingly, browsers are moving away from using third-party cookies and some privacy-focussed browsers block tracking by default. There are also more home-brewed options. Nouwens has created a browser extensions that work with the major cookie consent providers that can reduce the amount of clicking you need to do. “You can get your preferences once and then it will automatically enter those preferences for you.”
Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1
Coronavirus coverage from WIRED
📖 How coronavirus kills, one organ at a time
🏘️ Failing care homes are the real coronavirus scandal
🔒 The UK’s lockdown rules, explained
❓ The UK’s job retention furlough scheme, explained


💲 Can Universal Basic Income help fight coronavirus?
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn

Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.

by entering your email address, you agree to our privacy policy

Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

Leave a comment

Why You Need A Website