I looked at the data collection habits of 50 popular websites – and the results aren’t good

The owners of Google and Facebook were the two heavily condemned for illegal use of cookies at the end of 2021 by the French data protection authority, National Commission for Computing and Liberties (CNIL). On the French versions of Google, its sister platform YouTube and Facebook, users were asked to consent to cookies in such a way that it was much easier for them to accept than to reject the request. They could accept cookies with one click but there was a more laborious process to refuse them.

Google owner Alphabet was fined €150m (£125m) and Facebook owner Meta was fined €60m. Alphabet was fined more because its violations affected more people and it got in trouble for violations in the past. The two companies also had three months to modify their systems to make it as easy for users to reject cookie requests.

Meta and Alphabet have yet to comply, although they have until April to do so. The law in the UK and the rest of the EU is also the same as in France, so it will be interesting to see what they do in those jurisdictions as well.

In the meantime, I looked at what many other companies were doing and found that many were still collecting data using cookies in the same way. So what’s going on?

Cookie Laws and Workarounds

Cookies are small text files stored by websites on our Internet browsers, which allow the website to collect information about us. some cookies are necessary so that we can browse the site in question – for example, to add items to a basket.

Following disputed cookies follow a user browsing behavior. There are first-person cookies, where the site in question tracks user behavior to offer them relevant products; and third-party cookies, where done by another company to enable others to advertise to the user instead – the classic example is Google Ads.

Cookies collect so much information that it is usually more than enough to identify the person behind the device. In addition to visits to particular web pages, they can also record a person’s search queries, goods or services purchased, IP address and exact location.

From this it is possible to deduce a person’s name, nationality, language, religion, sexual orientation and other intimate details – most of which are special categories personal data which cannot be processed without the individual’s express consent under the EU ePrivacy Directive and EU and UK General Data Protection Regulation (GDPR).

GDPR requires such consent be precise, informed, unambiguous and freely given – requiring positive action from the user. Unfortunately, that doesn’t give us much protection.

Websites have used various methods to circumvent the requirements. Most cookie consent requests were previously presented with pre-selected checkboxes that, by default, prompted individuals to accept cookies on their devices. In 2019 the Court of Justice of the European Union (CJEU) decided websites could no longer do so, as it avoided the positive action requirement of the GDPR. But the value of the data that can be collected using cookies is such that websites have simply opted for different workarounds.

The popular option is the one that saw Facebook and Google sanctioned by the CNIL in France. The CNIL basically said that when it comes to denying consent to cookies, two clicks is too many: it meant people were pressured into consenting, and was therefore against the GDPR’s free consent requirement. This no doubt explains why, on the one Experimental study 2020 of users who lived in the EU, 93% accepted cookies, even though they had a second window option to manage them.

The larger problem

The French interpretation of the GDPR does not bind UK courts, the CJEU or other regulators in Europe. So, once the CNIL’s three-month deadline has passed, websites with similar unbalanced cookie consent in other GDPR countries could argue that there is ambiguity in the law about what counts as consent. But in reality, the law is quite clear and the French interpretation should be a strong signal that other privacy authorities will come to a similar conclusion.

And yet, when I looked at 50 randomly chosen well-known websites, only 15 (30%) seemed to comply with EU/UK data privacy laws. Some of these sites that are compliant, such as ebay.co.uk, provide “Accept” and “Decline” buttons in the same banner. Others like bbc.co.uk make it more difficult to reject cookies but allow users to navigate without consent.

As many as 32 (64%) of the sites did not appear to comply with EU and UK cookie laws. These include Google, Facebook and Twitter, as well as other large companies such as Ryanair and the website of the daily mirror.

Twitter, for example, simply notifies the user of their consent in a banner stating: “By using Twitter’s services, you agree to our use of cookies”. Other companies, including Google and Facebook, hide the decline/decline button in a second window. Still others, like Ryanair, create a cookie wall where visitors can only use the site if they choose “Yes, I accept” or go to “View cookie settings” to select their preferences.

Image: Ryanair website

There were three other websites where it was unclear or borderline whether they complied with the rules. Spotify, like the BBC, has a typical cookie banner but allows users to browse without accepting cookies. But its cookie banner covers half of the device screen. This reduces the quality of the user’s browsing experience and could potentially be considered a coercive practice.

The failure of big tech companies to follow cookie laws suggests that millions of citizens are likely having their personal data illegally collected. It’s hard not to wonder if some companies knowingly break the rules because they generate so much revenue from their cookies that it’s worth risking a privacy breach penalty.

They can also bet that the relevant authorities are too underfunded or understaffed to enforce the rules. For example, a recent report by the Dutch ombudsman pointed out that the competent authority in that country had 9,800 unresolved privacy complaints at the end of 2020. And according to According to the Irish Council for Civil Liberties, “almost all (98%) of major GDPR cases referred to Ireland remain unresolved” – partly due to a lack of budget and sufficient specialist staff. The situation is unlikely to be radically different in other EU countries.

If the UK and EU are serious about protecting citizens’ privacy, they need to change the rules to be more specific about what a consent window should look like, and run information campaigns to make citizens understand that the refusal of consent can in no way limit their browsing experience. They should also allocate the necessary resources to enforce the rules. Only then will the laws surrounding these little-known tools for collecting our data be fit for purpose.

We asked Meta, Alphabet, Ryanair, Twitter and the Daily Mirror editor Reach if they would like to comment. Reach dwindled and Alphabet, Twitter and Ryanair did not respond. Meta said:

We examine the [CNIL’s] decision and remain committed to working with the relevant authorities. Our cookie consent controls give users greater control over their data, including a new settings menu on Facebook and Instagram where users can review and manage their decisions at any time, and we continue to develop and improve these controls .The conversation

This article from Asress Adimi GikayLecturer in AI, Disruptive Innovation and Law, Brunel University London, is republished from The conversation under Creative Commons license. Read it original article.