{"id":10231,"date":"2022-02-12T09:00:34","date_gmt":"2022-02-12T09:00:34","guid":{"rendered":"http:\/\/TheNextWeb=1380107"},"modified":"2022-02-12T09:00:34","modified_gmt":"2022-02-12T09:00:34","slug":"i-examined-50-popular-websites-data-collection-habits-and-the-results-arent-good","status":"publish","type":"post","link":"https:\/\/www.londonchiropracter.com\/?p=10231","title":{"rendered":"I examined 50 popular websites\u2019 data collection habits \u2014 and the results aren\u2019t good"},"content":{"rendered":"\n

The owners of Google and Facebook were both heavily fined<\/a> for using cookies illegally at the tail end of 2021 by the French data protection authority, Commission Nationale de l\u2019Informatique et des Libert\u00e9<\/a> (CNIL). On the French versions of Google, its sister platform YouTube, and Facebook, users were being asked to consent to cookies in such a way that it was much easier for them to accept than reject the request. They could accept cookies with just one click but there was a more laborious process for refusing.<\/p>\n

Google owner Alphabet was fined \u20ac150 million (\u00a3125 million) and Facebook owner Meta \u20ac60 million. Alphabet was fined more because its breaches affected more people and it had been in trouble for violations in the past<\/a>. Both companies were also given three months to change their systems to make it as easy for users to reject cookie requests.<\/p>\n

Meta and Alphabet have yet to comply, though they have until April to do so. The law in the UK and the rest of the EU is also the same as in France, so it is going to be interesting to see what they do in these jurisdictions too.<\/p>\n

In the meantime, I looked at what many other companies were doing and found that many are still collecting data using cookies in similar ways. So what\u2019s going on?<\/p>\n

Cookie laws and workarounds<\/h2>\n

Cookies are small text files stored by websites on our internet browsers, which allow the website to gather information about us. Some cookies are necessary<\/a> for us to be able to browse the site in question \u2013 for example, to add items to a shopping cart.<\/p>\n

More contentious cookies<\/a> track a user\u2019s browsing behavior<\/a>. There are first-person cookies, where the site in question tracks users\u2019 behavior to offer them relevant products; and third-party cookies, where this is done by another company to allow others to advertise to the user instead \u2013 the classic example is Google Ads.<\/p>\n

Cookies gather so much information that it is usually more than enough to identify the person behind the device. Besides visits to particular web pages, they can also record<\/a> a person\u2019s search queries, goods or services purchased, IP address, and exact location.<\/p>\n

From this, it is possible to infer a person\u2019s name, nationality, language, religion, sexual orientation, and other intimate details \u2013 most of which are special categories<\/a> of personal data that cannot be processed without the explicit consent of the individual under EU ePrivacy Directive<\/a> and the EU and UK\u2019s General Data Protection Regulation (GDPR).<\/p>\n

The GDPR requires such consent<\/a> to be specific, informed, unambiguous, and given freely<\/a> \u2013 requiring affirmative action by the user. Unfortunately, this is not giving us a great deal of protection.<\/p>\n

Websites have used various methods to get around the requirements. Most cookie consent requests used to be presented with pre-selected tick boxes that, by default, made individuals accept cookies on their devices. In 2019 the Court of Justice of the European Union (CJEU)<\/a> decided websites could no longer do this, since it avoided the GDPR\u2019s affirmative action requirement. But such is the value of the data that can be gathered using cookies that websites merely switched to different workarounds instead.<\/p>\n

The popular option is the one that saw Facebook and Google sanctioned by the CNIL in France. The CNIL essentially said that when it comes to refusing cookie consent, two clicks are too many: it meant that people are being pressured into consenting, and was therefore contrary to the GDPR\u2019s free consent requirement. This presumably explains why, from a 2020 experimental study<\/a> of users who had lived in the EU, 93% accepted cookies regardless of having a second window option for managing them.<\/p>\n

The wider issue<\/h2>\n

The French interpretation of the GDPR is not binding on the British courts, the CJEU or other regulators in Europe. So, once the CNIL\u2019s three-month deadline runs out, websites with similar imbalanced cookie consent in other GDPR countries might claim there is an ambiguity in the law around what counts as consent. But really the law is quite clear and the French interpretation should be a strong signal that other privacy<\/a> authorities will reach a similar conclusion.<\/p>\n

And yet, when I looked at 50 randomly chosen well-known websites, only 15 (30%) appear to comply with the EU\/UK data privacy laws. Some of those sites which are compliant, such as ebay.co.uk<\/a>, provide \u201cAccept\u201d and \u201cDecline\u201d buttons in the same banner. Others such as bbc.co.uk<\/a> make it more difficult to reject cookies but allow users to browse without consenting to them.<\/p>\n

As many as 32 (64%) of the sites did not appear to comply with EU and UK cookies laws. These include Google, Facebook, and Twitter, as well as other major businesses such as Ryanair<\/a> and the website of the Daily Mirror<\/a>.<\/p>\n

Twitter, for example, merely notifies the user of consent in a banner that states: \u201cBy using Twitter\u2019s services, you agree to our cookies use\u201d. Other companies, including Google and Facebook, hide the refuse\/decline button in a second window. Still others, such as Ryanair, create a cookies wall where visitors may use the site only if they choose \u201cYes, I agree\u201d or go to the \u201cView cookies setting\u201d to select their preferences.<\/p>\n

\n

\"Screenshot