Sign up to Newsletter

Most cookie banners are annoying and deceptive. This is not consent.

Explainer
Post date
21st May 2019
Quantcast consent
Quantcast consent rate

You're on your phone trying to check an article a friend has sent you, or quickly looking up info about an event that’s happening this weekend. And there it is: a gigantic cookie banner, a privacy notice that blocks your screen with a big, visible "ACCEPT" button. This is what the AdTech industry considers consent, and how companies like Quantcast end up claiming that their consent rate is over 90 percent. We think there something deeply wrong with that.

Nudging users to consent… Globally

Cookie banners exist because EU laws require websites and apps to ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them. (These rules are under reform and we’re fighting hard to ensure they include strong and better protections, despite opposition from companies.)

For consent to be valid, it must constitute a real meaningful indication of the individual's wishes and meet conditions such as being free, informed and specific.

However, that’s not how it often works in practice. Cookie banners are often provided by Consent Management Platforms (CMP), such as Quantcast or Oath, who are betting on the fact that you will never bother to look past the "I ACCEPT"  or “OK” button. Only some CMPs allow publishers to decide if they want to show an equally big "I REFUSE" button to give their users a real choice. More often than not, the consent process is designed to be as opaque, unpractical and time-consuming as possible – just to make you click “ACCEPT”. So called “dark patterns”.

What few people know is that this “consent” is often interpreted as "Global Consent", a concept which assumes that if you accept being tracked on one website you “consent” to tracking across the web – as this “consent” is replicated throughout the supply chain. In practice this means that you “consent” to be tracked by hundreds of companies on hundreds or more of sites where they have a tracker. In the case of CMPs like Oath or Quantcast (where consent on one site may apply to other sites with global consent)  this means that users accept tracking on hundreds of websites in a single click, often obtained out of users' frustration.

But let's pretend that you care, that you really don't want to be tracked and profiled by hundreds of companies that share, process and repurpose your data in ways that you wouldn’t expect or want. If you really care, be prepared to endure a terribly long and deceptive process, jump from one sub-menu to another, always with a big visible "ACCEPT" button in case this succession of screens discouraged you from make your will respected. A prime example for this behaviour is offered by Oath, which will take you to awfully wordy and poorly designed control pages only to redirect you to each of its partner-own dashboards.

Refusing tracking is already hard, opting-out completely is even harder. There’s currently no easy way to automatically block tracking on apps. The op-out services that tracking companies and advertising associations only apply to browsers and are usually based on – and this may sound ironic – opt-out cookies. To opt-out, you need to accept cookies, and you need to opt out for each browser on each device you’re using. If you delete your cookies, as is good security and privacy practice, you need to do it all over. 

Needless is to say, we think that all of this fails to comply with the law, which among other things requires meaningful consent.

Companies track people

Deceptive and infringing practices

There are a few things which are inherently wrong with most Cookie Banners and Consent Management Platforms – including those that are based on the Transparency and Consent Framework of the IAB, an industry association for the online advertising ecosystem.

First of all, far too many CMPs and cookie banners come with pre-ticked boxes or are opt-out by default (you have to do something to opt-out). So if you're in a hurry or simply don't want to spend 10 minutes trying to dive into privacy policies, you will probably agree to have everything you do on the internet being shared with hundreds of companies, including the most intimate and personal sites you visit. Such pre-ticked boxes are clearly unlawful.

Secondly, we believe that many consent frameworks that are deliberately deceptive or misleading also don’t comply with GDPR. GDPR is clear that for consent to be valid, it must be informed, specific and freely given. If tracking involves special category data, such as when you use a health app, visit the website of a political party or that of a trade union, the bar is even higher. Your consent must also be explicit.

Finally, we are very concerned about the ways in which companies share, enrich and exchange your data in a vast ecosystem of data brokers and advertisers. Once you have given “consent”, your data disappears in the data brokerage ether and could be used for anything, from product promotion to microtargeting by political parties. As we argued when we complained to Data Protection Agencies against seven AdTech and data broker companies, that’s neither fair, nor transparent. 

Privacy by design and by default

You should have the right to make real, informed choices and your consent is nothing that should be “managed”. Consent is something that can only be earned – ideally by those who clearly explain why they deserve your trust. That, however, puts a large part of the murky ad-tech ecosystem in an incredibly difficult position: hundreds of companies – most of them non-consumer facing – exchange, link and enrich data in ways that are so complex that it is incredibly difficult to do so transparently. Deceptive CMPs open the door to a broad range of abuses we observe in the AdTech ecosystem, from manipulation to discrimination. This, we believe, a systemic problem, that is inefficient, and puts everyone at risk. It’s bad for publishers and brands who care about their users, readers and consumers, as it betrays their trust.

So what’s the solution? Protecting your own privacy shouldn’t be a full-time job that requires advanced technical knowledge. That’s why we think that people and their data should be protected by design and by default (this is something the law requires too). It’s useful to compare good privacy to good food security: we don’t go into a restaurant and test whether our food is safe – we trust that there are laws, institutions and practices that ensure that it is. And when it isn’t, those you don’t play by the rules get punished. That’s something we want for our data as well.

What is Privacy International doing about it

Online advertising and invasive tracking everywhere need to be fixed and a first step is to make sure that the ecosystem is fully compliant with existing laws. That’s why in November 2018, Privacy International complained about seven companies, data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian), with data protection authorities in France, Ireland, and the UK.  Our submissions set out why these companies do not comply with the Data Protection Principles in GDPR, namely the principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy. They also do not have a legal basis for the way they use people's data, in breach of GDPR – as we’ve set out above, they don’t have valid consent. Many of these companies play an important role in Real Time Bidding (RTB). As a result of our submission to the Irish Data Protection Commission, the AdTech company Quantcast is now under investigation. The UK ICO is also looking more closely at AdTech. But we won’t stop here. 

Our fight
Challenging Corporate Data Exploitation
Learn more
AdTech
Related learning resources
Explainers

Related Content

Advocacy
Photo by Mathias Reding on Unsplash

PI seeks to inform report on AI and racial discrimination of the UN Special Rapporteur on racism

Privacy International submitted its input to the UN Special Rapporteur on racism for their upcoming report which will examine and analyse the relationship between artificial intelligence (AI) and non-discrimination and racial equality, as well as other international human rights standards.

Continue reading
Advocacy
An Electric Control Cabinet Production Factory

PI response to ICO consultation on web scraping by generative AI

PI responded to the ICO consultation on the legality of web scraping by AI developers when producing generative AI models such as LLMs. Developers are known to scrape enormous amounts of data from the web in order to train their models on different types of human-generated content. But data collection by AI web-scrapers can be indiscriminate and the outputs of generative AI models can be unpredictable and potentially harmful.

Continue reading
Long Read
Image of human body with dots of data being extracted

Q&A: €40 million fine for AdTech giant Criteo - What does it mean?

Our 2018 complaint against French AdTech company Criteo led to a €40 million fine for failing to ensure that data subjects had provided their consent to processing, to sufficiently inform them and to enable them to exercise their rights.

Following on from our initial reaction, we answer some questions about the decision below.

Continue reading
Advocacy
A drawing showing a tall amazon building surrounded by businesses closing and out of business. The caption read "Big tech's data-fuelled power is a huge problem"

Submissions to the UK and EU competition authorities on the Amazon/iRobot merger

On 2 May and 5 June 2023, PI made a submission to the UK Competition and Markets Authority (CMA) and the European Commission, respectively, in relation to the proposed merger between Amazon and iRobot, outlining the concerns the transaction raises for consumers and markets.

Continue reading