You nearly can’t avoid them when you’re online: cookie consent notices to protect personal data, also known as "cookie banners". Researchers of the Horst Görtz Institute for IT Security have now investigated how cookie banners are implemented on websites after the introduction of the European Data Protection Basic Regulation (GDPR) in May 2018 and how users interact with them. They found out that many banners do not comply with the regulations of the GDPR and that some psychological tricks are used to manipulate users. Christine Utz, Dr. Martin Degeling, Prof. Sascha Fahl and Prof. Thorsten Holz have now published their paper "(Un)informed Consent: Studying GDPR Consent Notices in the Field" in collaboration with Florian Schaub from the University of Michigan.
Login data or marketing information
Cookies are used by website providers to store information about their visitors. This could be login information, for example, which does not have to be re-entered each time. However, behavior patterns and preferences are also stored - mostly for marketing purposes - and often passed on to third parties. However, the DSGVO stipulates that this data may not be used without the consent of the users.
In fact, over 60 percent of popular European websites display cookie consent notice. But according to the researchers their implementation varies greatly. Within a sample of 1000 cookie references, they analyzed positions, choices, texts and links of the banners. They wanted to find out how the design of the banners could help make it easier for users to make informed choices and protect their data. "It has been shown that the majority of cookie notices do not meet the requirements of the European data protection authorities, which clearly state that the notices must be transparent and offer real freedom of choice," explains Christine Utz. But that's not all: 57 percent of the websites surveyed also use so-called "nudging" procedures, which are designed to control people's behavior by changing p.e. the framework conditions or slightly manipulations on the website. Within the cookie banners, for example, these were color accentuations of the "agree" button as an accentuation or an unclear representation of the "opt-out" option. The aim of this method is to persuade users to agree that their data can be used.
Strongest Interaction with banners in the lower left part
The scientists used these findings in a field study on more than 80,000 users of a German e-commerce website. Over a period of four months, they played out different cookie banners to observe the user interaction. In a following survey, they also asked users about their preferences and knowledge about cookie banners. The result was that users interact most strongly with a banner that appears in the lower left part of the screen. "Another important finding for us was that given a binary choice, more users are willing to accept tracking compared to mechanisms that require them to allow cookie use for each category or company individually”, the scientist said. Answers from the questionnaire indicate that users often fear that the website would not function properly if they refused cookies. Overall, many users are willing to interact with the cookie consent notices, especially those who do not want to allow their data to be stored. However, as it stands now, many websites do not offer them this option or at least make it more difficult.
Recommendations of the scientists
The solution would be an obligatory "privacy by default" setting in which the data is only collected after the users have explicitly agreed to tracking. In addition, the scientists recommend the setting of "purpose-based" cookie consent notices, in which the consent to the processing of the data is given for specific purposes. This would correspond to the actual requirements and the basic idea of the GDPR. "If this practice would gain acceptance, it would actually lead to less than 0,1% of active consent for the use of third parties," concludes Christine Utz.
The results of the study can be of great value for the further development of the implementation of the European Basic Regulation on Data Protection, as it is the first of its kind to refer to real users. It is to be hoped that the handling of “cookie banners” will be enhanced over the next years, for example by giving users real scope for decision-making or by creating approval mechanisms in the browser so that each page itself does not have to ask for approval.
Here you can get the paper.
Christina Scholten, PR-Manager Horst Görtz Institute for IT Security
E-mail: christina.scholten [@] rub.de