Ruhr-Uni-Bochum
HGI

Copyright: HGI, stock.adobe.com: chinnarach

Many cookie banners make it difficult to protect own data

You nearly can’t avoid them when you’re online: cookie consent notices to protect personal data, also known as "cookie banners"...

Im Netz kommt niemand um Cookies herum. Copyright: RUB/Marquard. 

You nearly can’t avoid them when you’re online: cookie consent notices to protect personal data, also known as "cookie banners". Researchers of the Horst Görtz Institute for IT Security have now investigated how cookie banners are implemented on websites after the introduction of the European Data Protection Basic Regulation (DSGVO) in May 2018 and how users interact with them. They found out that many banners do not comply with the regulations of the DSGVO and that some psychological tricks are used to manipulate users. Christine Utz, Dr. Martin Degeling, Prof. Sascha Fahl and Prof. Thorsten Holz have now published their paper "(Un)informed Consent: Studying GDPR Consent Notices in the Field" in collaboration with Florian Schaub from the University of Michigan.

Login data or marketing information

Cookies are used by website providers to store information about their visitors. This could be login information, for example, which does not have to be re-entered each time. However, behavior patterns and preferences are also stored - mostly for marketing purposes - and often passed on to third parties. However, the DSGVO stipulates that this data may not be used without the consent of the users.

"It has been shown that the majority of cookie notices do not meet the requirements of the European data protection authorities, which clearly state that the notices must be transparent and offer real freedom of choice," explains Christine Utz. But that's not all: 57 percent of the websites surveyed also use so-called "nudging" procedures, which are designed to control people's behavior by changing p.e. the framework conditions or slightly manipulations on the website. Within the cookie banners, for example, these were color accentuations of the "agree" button as an accentuation or an unclear representation of the "opt-out" option. The aim of this method is to persuade users to agree that their data can be used.

Strongest Interaction with banners in the lower left part

The scientists used these findings in a field study on more than 80,000 users of a German e-commerce website. Over a period of four months, they played out different cookie banners to observe the user interaction. In a following survey, they also asked users about their preferences and knowledge about cookie banners. The result was that users interact most strongly with a banner that appears in the lower left part of the screen. Answers from the questionnaire indicate that users often fear that the website would not function properly if they refused cookies. Overall, many users are willing to interact with the cookie consent notices, especially those who do not want to allow their data to be stored. However, as it stands now, many websites do not offer them this option or at least make it more difficult.

Recommendations of the scientists

The solution would be an obligatory "privacy by default" setting in which the data is only collected after the users have explicitly agreed to tracking. In addition, the scientists recommend the setting of "purpose-based" cookie consent notices, in which the consent to the processing of the data is given for specific purposes. This would correspond to the actual requirements and the basic idea of the DSGVO.  

Here you can get the paper.

 

Press contact:

Christina Scholten, PR-Manager Horst Görtz Institute for IT Security

Phone: +49-(0)234-32-27130

E-mail: christina.scholten [@] rub.de

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.