Conquer the Cookie Monster

This is Part 3 of a series on digital privacy…or the lack thereof

In part 1 we talked about types of cookies and their purpose, and in part 2 we looked at some of the things you can do to protect your online privacy.

Now, we turn our look at the infamous “cookie monster”. Of course I am not talking of the beloved Sesame Street character that has delighted children for decades.

Sesame Street Cookie Monster — https://muppet.fandom.com/wiki/Cookie_Monster

I am referring to the bane of our online experiences: the horrendous and annoying banners that are now plaguing our daily internet life.

a typical cookie banner

Generally speaking, third-party cookies and Google Analytics cookies are the ones that are more likely to leak your information to other companies for marketing purposes, so if you care about your online data privacy, those are the ones to disable.

The Birth of The Cookie Banner

Companies should, both legally and ethically, provide an easy way to decide which cookie to accept. However, in the real world, it is up to you. This is where the notorious banners come in.

Since the GDPR became the law of the land in Europe, companies have to provide a way for the user to adjust their cookie settings, including opting out. This opened the flood gate for all those incomprehensible Privacy Notices and the really annoying pop-ups “cookie notice warning”.

However, most of them are so incredibly complex, and confusing that most users automatically close them without making any change. Closing a cookie banner implies consent to the defaults set by the company: to comply with the GDPR, EU companies need to make sure the defaults are set to the highest privacy levels, but it is not a rule everywhere else, and definitively not in the United States.

A recent paper by Hana Habib et al., aptly named “Okay, whatever”: An Evaluation of Cookie Consent Interfaces”, confirmed that the common reaction is to close them immediately, without interacting with them. The paper also defines a few guidelines for better cookie banners.

Generally speaking, if you want to maximize your privacy, you should opt out of all cookies except the essential ones, but most companies sure don’t make it easy.

The Best Case Scenario

I want to start on a positive note, though. Some sites actually do not sell data, to begin with.

https://wetransfer.com allows you to “officially opt-out” even though they do not sell the data anyway.

While these banners are annoying no matter what, some companies actually do it better, providing a one-click rejection of all cookies, and minimizing disruption.

https://termly.io/

A simple No, Thanks button to reject all. The banner is also smaller, delayed and cute. https://www.bvanudgeconsulting.com/

If I do want to customize, they give me a very granular (too much?) choice https://www.bvanudgeconsulting.com/

The Mediocre, The Bad and The Evil

Unfortunately, most websites do not adopt these best practices, due to ignorance or malice. Most of them are on the right side of the law, but they make the process unnecessarily complicated. They add what Thaler and Sunstein call “sludge” in their book Nudge (2008, 2021).

It Could Be Worse

It looks like a 1-click rejection, but you actually have to make a choice. The Sale of Personal Data is checked by default https://www.usatoday.com/

The two button look very similar, and may lead to mistakes, but at least it is a 1-click rejection https://www.gallup.com/home.aspx

Regardless which option you choose (or if you click the link in the black box, you are sent to privacy settings) it is pretty easy from here

All options are turned off by default — https://www.lego.com

The Bad

Sometimes the choices are just confusing due to their design.

Some companies try to convince you that cookies are just for your own good

https://www.dailymail.co.uk/

Information overload — https://www.dailymail.co.uk/

this is very close to the “confirm-shaming” deceptive pattern. https://www.dailymail.co.uk/

Some privacy banners make it very difficult to choose what is best for you. I am all in favor of information, but it can be downright ridiculous.

This was the old Privacy choices box for BMC (see above for the new design)

The Evil

Some companies make you decipher a wall of small text or even email them to opt out.

The banner has no options beyond Accept. the Privacy menu is hidden behind the cookie banner — https://www.meundies.com/

Scrolling to it, assuming you notice it, requires 2 hands — https://www.meundies.com/

The Privacy page is a complicated mess. If you want to opt out, you need to email them https://www.meundies.com/privacy#your-california-privacy-rights

You may think you can’t do any worse. I beg to differ. Here is Fast Company Website (https://www.fastcompany.com/). They do not have a banner at all. If you want to opt out or even check what the privacy defaults are, you need to investigate. If you scroll all the way to the bottom, there is a tiny menu.

Do Not Sell my Data seems like an obvious choice. https://www.fastcompany.com/

This is where you are re-directed: this opens in a new window. Note that the link for California Consumer Privacy Note does not work. https://fastcompany.zendesk.com/hc/en-us/requests/new#California

I need to go back to the main site, click on Privacy Policy, and then California Rights, to get to the correct info. https://www.mansueto.com/privacy-policy/#California

To their credit, after I emailed them, they answered me to let me know they received the request and a few days later, apparently, they took care of it. However, this was only for Not Selling my Data. If I wanted to download my data, I needed a new request.

Really REALLY Evil

Acxion is a data broker company, even if they try to convince you that they care about ethics (https://www.acxiom.com/data-privacy-ethics/) and “fostering, promoting and enabling an ethical and responsible data-use culture”. No surprise then that their privacy implementation is pure evil by design.

nothing too bad so far — https://www.acxiom.com/

They try to convince you to accept the “recommended settings”. (left) However, if you click off, then a blue box with blue text appears. The only readable element is a warning symbol — https://www.acxiom.com/

Only highlighting the text you can read the message

The option times out and disappears. If you need to opt out , then you need to fill out a form, and individually opt out for phone numbers, address and email, 3 forms in total. https://isapps.acxiom.com/optout/optout.aspx

Conclusion

The option times out and disappears. If you need to opt-out , then you need to fill out a form, and individually opt-out for phone numbers, addresses and emails, 3 forms in total. https://isapps.acxiom.com/optout/optout.aspx

Conclusion

There is an almost infinite variation of the cookie banner, and most of them are bad, confusing and/or misleading. We can’t expect companies to stop collecting tracking cookies any time soon, and without expanded privacy laws and strong enforcement of the one that exists, they will have no motivation to do it.

So, get in the habit of checking the cookies: it may be adding a few seconds and some annoyance, but I feel it may be a price worth paying.

References

Hana Habib, Megan Li, Ellie Young, and Lorrie Cranor. 2022. “Okay, whatever”: An Evaluation of Cookie Consent Interfaces. In Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems (CHI ‘22). Association for Computing Machinery, New York, NY, USA, Article 621, 1–27. https://doi.org/10.1145/3491102.3501985

Thaler, R. H., & Sunstein, C. R. (2021). Nudge: The Final Edition (Revised ed.). Penguin Books.

Part 1 — Who Likes Cookies?
Part 2 — Protect your Online Privacy