Picture this, you arrive at a website and the cookie policy pops up. The intrusive, ‘no browsing the site until you’ve dealt with me’ kind of pop-up. Without thinking you click the green box and it disappears. Hurrah! Off to browse the site you go and you think no more about it. But let us pause for a second to unpick what has just happened. When you clicked the green ‘Accept All’ box you apparently gave your consent for various tracking programs to be placed onto your computer which will monitor your activity and report back to their digital masters. If you are suddenly thinking this seems like something you shouldn’t be able to consent to so carelessly you aren’t alone, the GDPR agrees with you.
“But wait,” you say, “wasn’t the GDPR meant to ensure companies couldn’t do this anymore? Didn’t you get a million emails a few years ago from every company you’ve ever known begging you to stay on mailing lists and promising they would respect and protect your data? Big promises were made about how the GDPR would usher in a new age of digital transparency – so why is it still business as usual?”
Well, it’s not quite business as usual. Before the GDPR you probably didn’t get the pop-up in the first place. Businesses have made a big song and dance about how they are ‘GDPR compliant’ and these intrusive, often annoying, pop-up consent boxes are part of it. Under the GDPR, companies must have a lawful basis for processing your personal data (the data in question here is the information the cookie sends back about your browsing habits). One of these bases is consent, which is why you see the pop-up in the first place. If you agree to having your personal data processed then that’s between you and the data controller (that’s the person who is receiving and using your personal data).
“Sure,” you say, “but everyone knows that nobody reads the small print. If the GDPR was meant to be a game-changer shouldn’t it have predicted businesses would do this? What help is the GDPR if you can sign away all your digital rights without realising it?”
Actually, the GDPR was a bit smarter than you give it credit. If someone wants to rely on your consent to process personal data the GDPR requires that your consent be (1) an indication of your wishes which is (2) specific and informed, and (3) freely given. Number 1 is pretty easy; you clicked that big green box, that’s a valid way to express your wishes under the GDPR. Number 2 is a bit more of an issue though – you didn’t know what you were saying yes to. You didn’t read the small print and, even if you had, you wouldn’t have been too much the wiser on what was actually going on as. As an example, a very standard term in a cookie policy states, “We and our partners store or access information on devices, such as cookies and process personal data, such as unique identifiers and standard information sent by a device”. What are these unique identifiers and standard information? When they access your data, what are they doing with it? Unless you have a keen interest in data processing you’re unlikely to be able to truly understand what is happening to your data.
Okay number 2 looks like a bit of a barrier but what happens if you actually read the policy and had understood it? Nobody made you click on the big green ‘Accept All’ box, surely number 3 isn’t a problem? Not so fast. Studies have shown that over 50% of all sites use ‘dark patterns’ to get you to consent. What are these dark patterns you say, suddenly very nervous? Don’t worry, it’s not a global conspiracy, dark patterns are built on the concept of ‘nudges’, very minor changes to an interface or system designed to get the user to choose a particular outcome. One big nudge is the box that you clicked on being green – subconsciously we all know green means go, carry on, no problems here. The position of the pop-up is important too. It’s often on the bottom of the screen, perhaps off to the left, which makes you less likely to pay it much attention. After all, how important can something be that’s not in the middle? “Hmm,” you say, “this sounds like a bit of a stretch, surely people aren’t so susceptible to very minor formatting changes?” Perhaps they are. When sites use these techniques acceptance rates jump from 0.16% to 83.55%, which adds some weight to the idea that your consent might not have been as freely given as you thought.
“Well clearly I didn’t actually consent to these cookies!” I hear you say. That’s almost certainly true, you didn’t properly consent to your data being processed. “Well, I want them to stop digitally stalking me then!” you demand. Again, slow down. Consent isn’t the only lawful basis to collect and process your data. If processing your data is absolutely necessary to pursue a legitimate interest a business can still do this even without your consent.
“How is digitally stalking me just to be able to advertise a lawnmower I once clicked on by accident legitimate?!” you howl. You may have a point. Not only is it not certain that this type of behavioural advertising is only possible by collecting massive amounts of personal data, but your right to privacy might outweigh a business’ right to conduct highly targeted marking campaigns (in this case for lawnmowers). And I say might because the courts haven’t yet resolved the point, not because I personally think businesses have an absolute right to sell you any old tat.
“If I didn’t consent to it and they don’t have a proper reason to do it without my consent, how are they getting away with it?” you righteously enquire. Good question. First, the GDPR isn’t that old. It came into force in 2018 and everyone is still coming to terms with it. Courts have yet to hear cases that will resolve important questions. For their part, although data protection laws existed before 2018 they were nowhere near as stringent, so businesses have only recently started to take it seriously. Therefore, you can expect practices to become more GDPR compliant as time goes by. Secondly, the public bodies who are meant to ensure compliance with data protection laws are generally underfunded and understaffed. The reason they haven’t straightened out businesses’ cookie policies is because they have a lot on their plate. Over the last few years, we have seen massive data loss cases that have dominated data protection agencies’ attention. Cookie policies seem to come further down the list of priorities for them. Thirdly, and perhaps most importantly, who cares? You didn’t before we had this discussion. You blindly clicked on that big green box and wouldn’t have given it a second thought. Businesses are unlikely to reform until there is pressure on them to do so. If internet users are unconcerned about what happens to their personal data why would businesses voluntarily stop doing something which makes them money?
“Well I’m mad and I’m not going to take it any more!” you bellow. One, stop quoting the 1976 classic Network, and two, what are you going to do personally? You won’t stop using the web and you are unlikely to sue them because that’s going to cost you an arm and a leg (and take a long time). You could try and avoid the problem by blocking cookies on your browser but that may stop you visiting certain sites and it doesn’t get at the wider problem. Perhaps the best thing is to raise awareness and encourage other people to be more careful about their personal data going forwards.
“Excellent idea,” you say “I’ll write a Facebook post immediately!”. I see you’ve learned nothing.