Vodafone.com – EU – 6/2019
Common issues with Consent Banners
When browsing the internet, most websites I come across are not GDPR compliant. Most of them seem to either try and fail or won’t comply on purpose.
Common issues and occurrences:
1. “If you continue to browse this website, you consent to our cookies.”
This is a recognition of GDPR as privacy law, but they chose to disregard it simultaneously.
Like number 1, a clear recognition followed by disregarding any effort in their user’s privacy. Which begs the question, why any effort in the first place?
3. A cookie wall.
See the link for more details; the cookie wall is not applicable for 99.9% per cent of websites.
4. Accept or Deny. But the cookies have already been set or can’t be revoked.
An accept or deny banner can be compliant. But we have often seen this banner appearing after cookies are already set and consequently a useless “Deny” button. If cookies are already set, you’re not compliant. Suppose they can’t be revoked. You’re not compliant.
“Deny” should be the default at first load, as opt-in should be the user’s consent.
5. Levels of consent with categories you can choose. We have checked them all, to be sure. Unchecking won’t matter; cookies are set!
The most common “workaround”, it seems. Controlling the cookies by category, but expecting your users to opt-out instead of opt-in. Which defeats the purpose of consent. This is the most popular window dresser for GDPR compliance, but funny enough, also the most visible one.
Some sites do have a popup with categories, where you can select “marketing” if you want. Or they have a cookie banner with an “accept” and “decline’ button. These sites visually seem to comply with the GDPR but often are not.
If you check cookies on these sites, you will probably see the same thing on most of them: Be it the informational warning, a “browsing implies consent” warning, or even a “select your preferences”, with a checked “marketing” option (I’ve seen this with Cookiebot for example).
Or the “accept” or “decline” variation, in most cases, you will see that Facebook, Youtube, Google Maps, advertisements, etc., are already loaded before you have accepted cookies, selected the marketing category, or continued browsing.
You as a visitor might not realise this, but when you see these services, you’re already being tracked, consent or not! For example. Uber.com
A quick scan
These sites are thumbing their nose’s at the GDPR profoundly: when you visit such sites and check your cookies, you will see you’re already being tracked. These cookie warnings are nothing more than window dressing. The site suggests you can opt-in (with the marketing category or by clicking accept), or you can still choose not to continue to browse and leave the website. But you are being misled, be it deliberate or not.
Sure, maybe the site owner is not aware of this. But as a site owner, you should and are indeed responsible! And, I suspect that in many cases, site owners are aware of the issue but choose to ignore it.