May I Offer You A Cookie? Part 2

In my previous post, I discussed tracking cookies and SEO. What in the world does this have to do with being a senior nomad? I spend a fair amount of time in and around Europe and the EU has tried to regulate control of personal data, with mixed results. In this post, I’ll talk about the General Data Protection Regulation (GDPR).

In May 2018, the European Union took a crack at comprehensive regulation of how online personal data was handled. It spelled out rules for data handling (including cookies), provided mechanisms for correcting erroneous data, and specified fines for failure, among other things. Any website, anywhere, that served requests from the EU was automatically subject to the GDPR.

So, due to your location, you may or may not have seen the effects of the GDPR when you browse. Websites can determine your general location and react accordingly. It’s interesting to note that the U.S. has not embraced personal data protection like this, but Russia has.

The most common and visible effect is a “consent management” box that pops up in your browser when you visit a website for the first time, possibly blocking your access and asking for your permission, your consent, to place cookies on your device. For example:

This is what I call a “good” implementation. Notice that right up front it has a “I DO NOT ACCEPT” button, which allows you to deal with all the cookies with one click.

Now, website owners generally don’t like the GDPR. Especially if it get in the way of them selling your data. So many of them cheat by making it tedious and difficult to opt out of consenting. For example:

This disappointing example above is from the Frommer’s website. They don’t provide a “Reject All” button anywhere and make you drill down to and click every single one of about 40 cookie settings:

That’s a lot of opting out, which they hope you will not do, of course.

More depressing are the sites which allow you to opt out of categories of cookies based on their purpose (marketing, performance, etc.), but do not allow you to opt out of some of the other bad stuff, like linking your information across different devices. Many sites bury their opt out links way down in many pages of their “Privacy Policy”.

My fear is that the GDPR, instead of controlling what cookies are placed on your devices, has become a gateway for websites to deluge you with many more cookies, because, after all you “consented”.

Money can also be made by providing Consent Management Platforms (CMPs). These are third-party online services that websites developers can “bolt on” to their sites in order to provide the required GDPR consent options, without re-inventing the wheel. Studies suggest nearly a million websites use CMPs to manage your cookie consent. But do these CMPs actually follow the GDPR rules?

ZDNET reported in January 2020 that “A new study by researchers at MIT CSAIL, Denmark’s Aarhus University, and University College London, has found only 11.8% of the most popular CMPs used on UK websites meet the minimal requirements under GDPR and Europe’s eDirective regulations regarding cookies and consent.” So the websites using the other 89% of CMPs are breaking the law.

I guess having the regulations but not enforcing them is a pretty sad state of affairs. Ironic as it may seem, at least in Russia, there’s the incentive that failing to follow their rules about personal data protection can attract the attention of the FSB (successor to their KGB).

I encounter consent management pop-ups all the time as I browse the Internet from Europe. If there’s no “Reject All” cookies button for a website, my practice is to close that browser window and refuse to visit their site. Which means I don’t see the advertising they’re so eager to show me, don’t interact with their site, and possibly don’t buy their product. And, generally, the information I was after is more often than not available elsewhere. That’s my small push-back against GDPR abusers.

What else do I do? I often configure my Firefox browser to be super-strict about rejecting cookies, especially tracking cookies, but this won’t work if I’m buying something online. I also periodically delete most cookies on my devices and clear my browser caches, which I recommend you do, too.

To do that, look in your browser settings for privacy or security settings that let you “clear your cache” or “clear cookies”. Most browser let you scroll through and examine all the cookies on your device, which may be a revelation.

Note that clearing all the cookies will get rid of the “good” cookies too, and you may have to login again, express your browsing preferences, etc. on some sites as a result.

2 thoughts on “May I Offer You A Cookie? Part 2

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s