Vodafone.com – EU – 6/2019
When browsing the internet, most websites I come across are not GDPR compliant. Most of them seem to either try and fail, or won’t comply on purpose.
Common issues and occurrences:
1. “If you continue to browse this website, you consent to our cookies.”
Which is a recognition of GDPR as a privacy law, but they chose to disregard it at the the same time.
As number 1, a clear recognition followed by disregarding any effort in their user’s privacy. Which begs the question, why any effort in the first place?
3. A cookie wall.
See the link for more details; the cookie wall is not applicable for 99.9% percent of websites.
4. Accept or Deny. But we the cookies have already been set or can’t be revoked.
An accept or deny banner can be compliant. But we have seen too many times this banner appearing after cookies are already set and consequently a useless “Deny” button. If cookies are already set, you’re not compliant. If they can’t be revoked. You’re not compliant.
“Deny” should be the default at first load, as opt-in should be the user’s consent.
5. Levels of consent with categories you can choose.We have checked them all, just to be sure. Unchecking won’t matter, cookies are set!
The most common “work-around” it seems. Controlling the cookies by category, but expecting your users to opt-out, instead of opt-in. Which defeats the purpose of consent. This is the most popular window dresser for GDPR compliancy, but funny enough also the most visible one.
Some sites do have a popup with categories, where you can select “marketing” if you want. Or they have a cookie banner with an “accept” and “decline’ button. These sites visually seem to comply with the GDPR, but often are not.
If you actually check cookies on these sites, you will probably see the same thing on most of them: Be it the informational warning, a “browsing implies consent” warning, or even a “select your preferences”, with a checked “marketing” option (I’ve seen this with Cookiebot for example).
Or the “accept” or “decline” variation, in most cases you will see that Facebook, Youtube, Google Maps, advertisements, etc are already loaded before you have accepted cookies, selected the marketing category, or continued browsing.
You as visitor might not realise this, but when you see these services, you’re already being tracked, consent or not! For example. Uber.com
A quick scan
These sites are thumbing their nose’s at the GDPR in a serious way: when you visit such sites, and check your cookies, you will see you’re already being tracked. These cookie warnings are nothing more than window dressing. The site is suggesting you can choose to opt-in (with the marketing category, or by clicking accept), or you can still choose not to continue browse and leave the website. But you are being misled, be it deliberate or not.
Sure, maybe the site owner is not aware of this. But as a site owner you should and are indeed responsible! And, I suspect that in a lot of cases, site owners are aware of the issue, but choose to ignore it.
If you’re a website owner and you’re not sure if your site is really compliant, it might be a good idea to do our quick scan.