Cookies "banners" are a particular pet peeve of me. As in don't get me started or I will be on it for hours if not days on end. So, I will struggle a bit to get this short enough so not to kill any reader of boredom. I am not claiming I will accomplish this goal, so you have been warned.
So, are cookies bad?
That is an oversimplified question. Cookies are used to track what users are doing in a website, and that may mean storing some personal data no t only of site users but also visitors. Some of which have very valid and important applications, like ensuring users can authenticate and are the right people to access a given resource, like their bank accounts, or repository of cat videos. Then we have the ones companies are interested on, such as:
- Which pages users go to in a given website, links they have clicked, and how long they spent on a given page. That may help them figure out which content -- primarily cat videos -- their audience seek and which ones they are avoiding. Or find out whether a given page is too convoluted, causing visitors to spend too much time and frustration in them. I can see why anyone wants to provide a website that does not suck.
- How often they visit a website whose cookie is in their computers.
- Which products or keywords they search for. This may tell the product lines the websites need to be providing and which ones may be taken down.
- Geolocation and IP address. A business case is to know where its customers are coming from so they can identify markets they are not covering, and then find out why.
- Username/password, and even address. Do not ask me why someone thought it was a clever idea to have them in cookies so forms would be conveniently filled, but they are there in the wild.
None of these are really needed to provide a service to users, so GDPR would say you must ask the visitors if they give you consent (Articles 6, 7, and Recital 32) to collect said data, and provide a way for them to remove their consent. CCPA and CPRA are less restrictive, having a set of thresholds (selling personal information of more than 50,000 Californian households, or making more than half of its annual revenue selling that data) before they are applicable and providing a the get-out-of-jail-free card (Art.9(2),e).
Some of these cookies are collected by the company running the website (first-party cookies) and others by whatever add-on they have deplopyed (third-party cookies). Google Analytics is an example of an app that creates the later; we have talked about how nicely it plays with GDPR before. However, that does not necessarily make first-party cookies better for security; but that is the topic of another article.
From a security standpoint, criminals will try to steal -- phishing emails are a popular way to deploy malware to achieve the goal -- cookies to impersonate users. So, a sensible business minimizes how much data it stores in its cookies.
- Let's start with a nice bright example of someone who respects the privacy of its website visitors.
- The next one, from one of the European Union's official websites, is not as nice but at least they are trying.
This list is but a tiny sample of my fun collection. Still, get the popcorn.
- First we will start with one that is on the slippery slope as far as GDPR is concerned. It mentions collected data with "trusted third parties." Who are they? Google Analytics? We have talked before that you can no longer use it on a site that is accessed by European residents.
- We really should just get serious and look at an example of conning the user. For convenience, I highlighted the relevant wording in their privacy note.
- Here is one from a bank that prides itself to have branches in many countries across the world.
- This one is a variation of the bank banner we saw earlier seen in the website of a professional society. I would not have posted it if it did not
have one single word: consent.
I must assume the reason this specific term was used is because of the language in GDPR, specifically article 7 states that if you do not have a legal reason to collect personal data, you must obtain consent from the user, who must freely give it. They seem to beleive that by having the word "consent" in the banner, they satisfied this GDPR article. However, if the only option is to surrender your private data, this consent is not freely given. Or can be easily revoked.
"But," one can argue, "you did not consider they are probably an American-based society which does not cross the CCPA requirements by keeping the number of Californian households under the limit." How would that work? Geolocating may be hard: one of the VPN services I use has servers in California; there might be other services with servers somewhere else in the US being used by Californian citizens. Given the banner you are seeing, how would you distiguish the two cases? And besides, if this is an international (they hope they are, as one of the letters in their name stands for that) professional society, GDPR, LGDP, and APPI just to name a few are bound to be triggered. I did my Westen Europe test, and it did not switch to a GDPR-compliant cookie banner.
Now we get to the really special ones, the ones that decided laughing at the privacy rights of individuals was not enough; they had to make a point.
- First jewel is what I call a BannerWall: you cannot use the website until you click on the only option ("Accept"), so site owners can then say "here! User consented to use collecting all personal info. We have the log showing the Accept button was clicked!" Hopefully you do not need to use this site, so you can just close your browser and find some other place with similar information but more privacy conscious.
- But, what if you have to use the website? For instance, what if you need to log into the site to pay your utilities or rent, and they do not offer another way (mail or in person) to make said payment? Can you say coercion?
Don't Be That Guy
- Instead of having you site collect personal data based on the location of the site visitor, assume they are all coming from the EU and build it for that, as it is one of the more restrictive ones. Make your life easier, be your website a commercial or educational/research one; we covered that a while ago.
- What is wrong with asking users if it is ok to collect their data and tell them how you are going to use it without vague words? And by that, ask properly, not like the no-real-option seen in some of the examples above.
- Document everything, logs included, because the world is changing and you may be audited or even fined for non-compliance. Remember, you do not need to have suffered a personal data breach before a GDPR Data Protection Authority takes legal action against you. Don't believe me? We commented on some cases earlier this year. All is needed to get that avalance running is for someone to file a complaint.