Researchers of the swiss ETH Zurich, found that 94.7% of 29 398 examined websites show at least one violation of the current european GDPR laws (find the study here). At first glance, an incredible number, considering a lot of websites are using a consent manager nowadays or have reworked their current cookie and tracking setup to comply with europes GDPR laws.
Observed GDPR violations
In their study there we´re eight violations regarding cookie usage and GDPR laws, which can be split into four categories.
Incorrect cookie purpose
Consent managers declare a use purpose to a cookie. This helps website visitors to better understand the functionality and reason a cookie is placed. The main issues were that the purpose was incorrect, meaning that either the purpose was wrong at all, or different websites had declared different purposes for the same cookie, which means that there is no consens on the cookie purpose. There was also the third option, where a cookie had multiple labels. That could mean a cookie of label A could be accepted but also denied, because it was also classified with the Label B.
Unclassified and undeclared cookies
The second category tangled the issue of “forgotten” cookies. If a cookie was not considered it is unclassified or undeclared. Unclassified cookies can neither be accepted or rejected, which means the consent is not freely given on those cookies.
Incorrect expiration time
The expiration time gives information about the lifetime of a cookie. A cookie will automatically be deleted after the expiration time, if the cookie has not been deleted somehow before. Most cookies out there have a expiration time between 30 and 90 days, altough there are always exceptions.
Cookies despite denied consent
The last category is about websites who place cookies altough a website visitor has not interacted with the consent manager, or websites who place a cookie regardless of wheter it was accepted or denied.
How serious are the violations?
Having understood the broad categories, let’s consider what is the severity in the breach of the current GDPR laws.
Let’s assume that the majority of websites are operated by small and medium-sized enterprises. They do not have their own IT and special knowledge about the current GDPR laws in connection with cookies and the consent manager is limited.
Most companies will trust their chosen Consent Management Platform. Not because there is no alternative, but because it is the only viable solution without hiring external IT service providers or data protection specialists.
It should also not be forgotten that many consent management platforms specifically advertise that a correct setup is possible with one click and that the consent management platform automatically reads and categorizes cookies.
From my perspective, one can only blame so far if there is no consent manager at all, or if the consent manager is so misconfigured that consent has no influence on the setting of cookies. That would most likely count towards the fourth category.
Regarding the other three categories is personally find it quite hard to blame a merchant or website owner, but let´s start one by one.
How to determine the cookie purpose
If you place a cookie, you place it because you want it to do something. For example if you place a google analytics cookie, you do it, because you want to collect analytical information about your website visitors and their (shopping) behaviour on your site. The purpose therefore is clearly analytics, and a classification for that cookie might be no problem so far. But what about other cookies? Google Ads, Microsoft Ads? Advertising, so good so far. But there are far more cookies out there, some placed by the website cms, payment provider or plugins, as well as 3rd party provider integrations. Not an easy task for non-technical people, especially if you´ve never dealt with those cookies before.
Classify and declare cookies
While most website owners might have some cookies in mind, that are used for their payment processing or advertising platforms, you can easily miss out on cookies, that you are not even aware of. Every cms has essential cookies that are placed to keep the site functional. Using a social plugin? Well there you go with facebook, instagram and twitter cookies. Using a google maps integration? Here is your google cookie, and the list goes on.
Of course, lack of knowledge does not protect against penalty, but let’s be honest. A large number of website operators are probably not aware of the volume of cookies that emanate from their own website, and due to the use of 3rd party applications cookies can easily be placed, whithout the website owner even knowing about it. For non-technical people this is an almost impossible thing to keep track of.
About the cookie expiration time
The expiration date of a cookie is needed to comply with Article 13(2)(a) of the current european GDPR rulings, which state that there must be an information about the expiration of personal information collection. As most cookies have a fixed expiration time that can be looked up, one might think that this is not an issue. What is often missed, is the fact that certain cookies may vary from their standard expiration time, and the classification as session cookie itself is problematic. First it needs to be determined if a cookies lives beyond the session time and if so, how long. I can only image that most GDPR violations are because the seperation between a session cookie and a longer cookie is incorrect.
The misery of the current GDPR state
That swiss researchers found a GDPR violation from ~95% of 29 398 websites is to me personally a sign that there is something wrong with our current GDPR rulings. The basic concept to protect personal data and try to establish transparency on the data collection and use is not only desirable but was also urgently needed.
The current phrasing, however, still offers plenty of ambiguity, and in practical execution there are virtually no limits to mistakes, of which one is seldom even aware.
Even more shocking, tools that websites owners pay for, who promise to solve the GDPR issue with cookies, do not help at all. They basically solve rudimental issues with having no consent management platform, but are not able to sucessfully cover the challenges website owners are facing.
In the current status, there is no other way for website operators than to deal more intensively with the issue and to focus more on data privacy. But on the other hand, it is still part of the court’s business to determine a violation of law in case of doubt.
Many retailers will hardly have to deal with the issue any further, but the current uncertainty alone is a problem.
If, for example, a law firm specializing in cease-and-desist letters were to target specific companies, there could be a series of warnings and cease-and-desist letters that could hit small and medium-sized retailers particularly hard.
A future scenario is certainly a revision of the current situation and hopefully a departure from the sickening consent banners, as well as better web standards of cookie usage.