Hi guys! Well done on your article ‘Attack of the Cookie Monster’. We thought you did a great job and really highlighted some of the key issues surrounding cookies and tracking in the online context.
We think you did a really good job of explaining why it is so hard for online users to avoid subscribing to cookies. On this subject, we discussed several key reasons why cookies are so easily consented to.
Firstly, you made an excellent point that users don’t necessarily fully comprehend what a cookie is, what it does and therefore what they are subscribing to. We thought this was a particularly interesting point, especially in the context of the GDPR and the requirement for informed consent. Can consent really be informed and sufficient if users do not understand what exactly they consent to? Although websites may overcome this argument by providing links to the full terms and conditions, studies show a user is unlikely to take the time to read them. Additionally, even if a user did go through the effort of reading the lengthy terms and conditions provided, doing so is unlikely to give them a greater understanding of what a cookie is and what they are signing up to. In providing terms and conditions websites often go to great lengths to word them in a way that can be deemed inaccessible to the average user. When discussing possible solutions to this, it was suggested that widening the GDPR to require websites to make the terms and conditions accessible to the average person might be a way of ensuring more informed consent in the future. However, we acknowledge that this might not be a simple solution given the technical aspects involved in cookies and the varying degrees of understanding users would present, which would differ depending on factors such as age, technical background etc.
Secondly, those websites that use cookies and rely on users consenting to them, convince users to do so through the use of dark patterns. What we found more interesting, and possibly concerning, about your explanation of dark patterns was that none of us had heard of, nor were aware of them before. Until reading the article none of the group had realised that these dark patterns were being used to ‘push’ users to consent to cookies, however after reading your explanation of them we all remembered similar tactics being used of us during our time online. This highlighted to us just how effective the use of dark patterns are and how easily users can essentially be coerced into consenting to cookies. When discussing this we drew comparisons between dark patterns and the use of advertising and marketing techniques designed to draw a consumer in. We also thought that the use of dark patterns presented a further problem to ensuring consent is informed and this technique could easily be used to deter users away from reading the terms and conditions via the link provided, and instead push them directly towards the ‘I agree’ button.
In addition to dark patterns, we also discussed how consenting to cookies is used as an entry requirement to access the full website. In some situations, users do not have the option to refuse consent to the cookies if they wish to continue to access the website. We argued this method goes a step further than the use of dark patterns as it essentially forces the user to consent. In addition, we felt like this could be contrasted with websites that require a subscription in order for you to access them e.g. you can’t access Netflix unless you log in and have a subscription. However, in this situation, you are not paying for the subscription with money, but with your own personal data.
A further reason we discussed as a group was the lack of enforcement in situations of non-compliance with the GDPR in the context of cookies. In the EU, in order to conform with the GDPR, especially in its requirement for consent in the collection of personal data, websites use Consent Management Platforms (CMPs). However, these platforms present their own issues as vendors of CMPs have been known to turn a blind eye to obviously illegal configurations of their systems. Hence, as a group, we felt that more enforcement in this area is needed to ensure greater protection of personal data. In particular, we argued that regulators should work further upstream in the data collection chain, rather than only focussing on the downstream companies involved such as the website owners themselves.
We thought it should also be mentioned that the GDPR only came into force in 2018 and as such the current issues presented could be a consequence of business adjusting to the new requirements. When new legislation is enforced there is often a transition period as everyone adapts to the new situation. As such, the extent of the issues highlighted in the article may lessen over time as more and more companies change the way they comply with the GDPR etc. In contrast, as the GDPR is new legislation it will likely have to be adapted to cover situations that were not foreseen during its drafting etc. Hence as a group, we thought it would be interesting to see how this situation developed over the next few years.