Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cookie Blocker. Show all posts

Websites Must Allow Users to "Reject All" Cookies, UK Regular Warns

 

Some of the most popular websites in the country have received warnings from Britain's data protection regulator that they could face penalties if they continue to force users to accept advertising cookies.

The top websites in the UK were given a 30-day deadline by the Information Commissioner's Office (ICO) to abide by the country's privacy laws, failing which they would "face the consequences."

The issue is how these sites permit individuals to opt-out of advertising cookies, with the ICO stating that they have a legal obligation to make it as easy to "Reject All" advertising cookies as it is to "Accept All."

This comes after TikTok was fined €5 million (roughly $5.4 million) by France's data protection authority, the CNIL, in January for having a cookie banner on its website featuring a one-click option to accept all cookies but not to refuse them. 

Even though the underlying laws were identical, security specialists noted at the time that the British regulator was not adopting the same standards.

In January, the ICO did not respond to inquiries about its enforcement. Numerous popular UK websites, including The Times and The Guardian, do not offer a single-click option to refuse cookies. Instead, the cookie banner on those websites directs users to a configuration page.

The ICO's guidance on the subject was later published in August, despite the fact that the existing rules were already available on its website.

"We've all been surprised to see ads online that seem designed specifically for us - an ad for a hotel when you've just booked a flight abroad, for example," said Stephen Almond, the watchdog's executive director of regulatory risk. 

“Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation,” Almond warned. 

In January, the ICO said it will provide an update on its efforts to prosecute offenders, "including details of companies that have not addressed our concerns." 

Cookie consent pop-ups have become an industry tactic in response to the European Union's ePrivacy Directive and General Data Protection Regulation (GDPR), which were intended to give citizens of the bloc the ability to withdraw their consent from being tracked and profiled across the web by advertisers. Despite the fact that the UK has left the European Union, the same legislation is still in effect. 

The directive requires websites to block all marketing cookies and trackers from being loaded into users' browsers until they receive explicit permission from those users. Sites are not permitted to pre-check boxes or use 'consent toggles' to make it easier to consent to cookies rather than decline them, though this is rarely observed in practice.

There is an exception for "strictly necessary" or functional cookies, such as those used to ensure page content loads quickly, count visitors (without profiling them), and remember the items in online shoppers' baskets.

Consent-O-Matic: A Perfect Tool for Blocking Cookie Pop-Ups

 

If you’re using the internet, you’re bound to be greeted by a cookie consent pop-up that seeks consent to track you and promises to use the cookies to enhance your browsing experience. The infiltrative behavior of cookies, which track your movements on the Internet, raised privacy issues. 

The privacy concerns of internet users led to the creation of a few laws and regulations, namely the General Data Protection Regulation (GDPR) and consent management platforms (CMPs), which went into effect in 2018. However, countless sites still outright violate regulations and deceptively track users’ activity. 

Cookies were invented in 1994 by 23-year-old engineer Louis J. Montulli II, who pioneered elements like HTTP proxying. He coined the term “cookies,” which he used in Netscape, the firm that designed one of the internet’s first widely used browsers called Mosaic. Soon after the advent of cookies, people started speaking up about the privacy concerns accompanying this information. 

Cookie blocker need of the hour 

The majority of consent pop-ups on the web do not meet the requirements for legally valid consent laid out in the General Data Protection Regulation (GDPR) four years ago. Hence, users are forced to share their data with multiple sites. 

Earlier this year in April, researchers at Aarhus University published Consent-O-Matic to automatically reject permission requests to track you. The consent-O-Matic extension is free and available for Firefox, Chrome, and other chromium-based browsers, and Safari for macOS and iOS. The browser extension already had 22,000 test customers from multiple countries before releasing publicly. 

“The reason I created this Consent-O-Matic extension was that I'd done the research and I'd demonstrated there was a lack of compliance when it came to 'consent' pop-ups on the web,” Midas Nouwens, one of the extension developers and first author of the academic paper introducing it, stated. “I knew from how it'd been in past years that it was going to be a slow process for regulators to pick up on this. Nor was I confident that they even would.”

“So, I figured I'd do something bottom-up, not just relying on authorities to try and enforce but build something users can use now while we wait for this slower, democratic process to happen

Shady practices of CMPs 

It seems that consent management platforms (CMPs) are already making attempts to bypass the Consent-O-Matic browser extension. Nouwens shared a patent application on Twitter filed on September 6, 2022, by CMP OneTrust aimed at detecting automated cookie rejection. If identified, the software would reject the automated request to block cookies and present the user with another request for consent, even inserting a captcha. 

"By automatically rejecting such consent, the user may not be making an informed decision and the website operator may not be able to ensure the website is in full compliance with applicable privacy laws and regulations,” the warning issued by OneTrust’s patent. 

“The patent is pretty hilarious. The idea it is premised on seems to be that a refusal of consent has to have the same high standards as a granting of consent—that is to be specific, informed, freely given, and unambiguous,” Michael Veale, a professor of digital rights and privacy at UCL Laws stated. “But that's simply incorrect. Refusing consent is different from giving it, and is not subject to those standards. Furthermore, data protection law specifically recognizes that an individual 'may exercise his or her right to object by automated means using technical specifications.” 

In 2020, a team of researchers including Nouwens and Veale published a paper entitled “Dark Patterns after the GDPR Scraping Consent Pop-ups and Demonstrating their Influence,” to highlight the shady practices employed by CMPs. In a survey of 680 of the UK's top sites, 24 percent of them employed OneTrust and only 1.8 percent of those sites were minimally compliant with GDPR. 

The results illustrated the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye. Earlier this year in August, privacy group noyb filed 226 GDPR complaints against websites using OneTrust because they failed to comply with GDPR guidelines.