Cookies- do they take the biscuit?

Geoff Revill, steering group member and co-founder of Safe Space One Ltd discusses, “Cookies- do they take the biscuit? Explaining latest law developments and consequences.”

Core Principles for Trustworthy Digital Engagement 

When exploring apps or pages online you are connecting to a person or business, developing a relationship and entrusting them with your personal data. The GDPR was built to support these relationships alongside three key aspects; transparency, about the data being collected and how it’s being used; control, which is to remain in the hands of the user and accountability. Due to current obstacles such as availability of information on digital rights, how to exercise those rights and lacking in necessary funds companies can get away with betraying the trust of their users without penalty. In order for trustworthiness to increase in the digital landscape we need to start demanding user empowerment and credibility of those we are engaging with. 

Do Cookies Do This?

If we compare how Cookies operate to this model we can see that they do not align. Cookie data collection can be misleading, with terms and conditions hidden the average user will not go seeking them out prior to browsing. Consent models are put in place to cede control to the user but how often are they successful? By design and implementation Cookies are fundamentally untrustworthy and can prove to be problematic, especially as major datapoint trading points and facilitating the commercialisation of personal data. 

Your digital identity is curated off of real world identity and online behavioural characteristics which can be used for more than just their intended purpose of personalised advertising. It can also tie into the political environment, influencing a user’s democratic decisions, justifying tracking as a societal issue. Cookies in their original use is relatively harmless however, their availability to third parties can leave users vulnerable to harm and exploitation. 

Mental Health Sector Website Cookie and Consents Review

At the 2021 Digital Innovation in Mental Health conference the organisers asked Geoff to conduct a study to gather information on data profiling and behavioural insight activity from 70 websites. Mental Health Service Providers have a duty of care to their especially vulnerable users and must carry out this responsibility by also protecting them online. Using a web crawler, Markup’s Blacklight tool, he was able to determine eight key areas and tracking companies the websites engaged with: 

      • Number of ad trackers
      • Number of third party Cookies
      • Trackers used to evade blockers
      • Uses session recording 
      • Uses keystroke capture
      • Uses Facebook Pixel tracker
      • Uses Google Analytics
      • Uses ePrivacy compliant cookie banner

“On average 5 third party cookies are active on mental health websites”

The results of this highlighted that many lack in protecting their site’s visitors in one area or another. Even more worryingly some were, “more explicitly and deliberately exploiting and sharing and selling data on their users.” These offenders are failing in their duty of care. Third party cookies are the most explicit due to their lack of transparency, largely hidden within the code base of the website. These cookies guarantee that the data collected will be shared with external companies and individuals without full understanding of what they will do with that information, creating a relationship between two digital strangers. The study highlighted that one Mental Health Service Provider was sharing their user’s data with 37 third parties including Oracle Corporation, Alphabet Inc and WarnerMedia, LLC. Every additional tracker is a new revenue stream, using vulnerable user data to drive their profit. Some people who have taken measures to protect their data are still at risk however, due to the use of trackers designed to evade blockers. This means that people’s data is still being collected despite their belief that their privacy is being protected, actively deceiving users. 8% of these website used evasion trackers. Insights could also be blocked from the web crawler therefore, there could be more websites who use trackers or collection tools but are hidden from view. 

Session recordings can be used to highlight hotpots on your website and reconfigure it to your user’s activity. This tool is inherently invasive on people’s privacy as it could reveal details and confidential information about their own or their family member’s diagnosis, for example. 11.1% of study participants make use of session recordings. Not to say that they cannot be useful, within a limited timeframe at the beginning of a website development they can be used to correct the design and provide a better user experience before retiring the technology. 

Further tracking tools such as keystroke capture can prove to be nonconsensual in collecting sensitive information. When entering this data into a website a user should remain in control of whether they choose to share it or not, however with keystroke capture it is essentially taken prior to point of consent. 39.7% of the websites make use of unconsented Facebook pixel trackers and 49.2% use Google Analytics, allowing tech giants to contribute to and corroborate their much larger user data sets, stripping away the anonymity of the vulnerable mental health users. 

We have highlighted that consent is one of the key pillars in helping to build trust between a website and its users therefore, having an ePrivacy compliant cookie banner plays an important role. These help to disclose any information about trackers, cookies and analytics tools being used and present the user with an opportunity to opt out. It is a common misconception that opting out reduces the functionality of the website and users will trade information for a better experience. This is not the case as necessary cookies will remain active when opting out of additional cookies. Only 1/3 of the websites used these. Some other websites in the study fall into a grey area; using dark pattern techniques to mislead users into agreeing to terms and conditions they do not fully understand, or aren’t presented with an opportunity immediately to reject these cookies. 

Recent Cookie Rulings

To better protect people online ePrivacy and GDPR Enforcement have been working to define the parameters of legal cookie use and consent. In the last two years they have made two significant developments. As a somewhat ongoing matter the Internet Advertising Bureau Europe (IAB) created a framework in which every provider would be held to the same standard. In October 2020, it was ruled that the framework fails the data protection test by using dark patterns and the misleading consent model. This issue is widespread with an estimated 40-50% of internet service providers using this consent model presently. The “Transparency and Consent Framework” is also used within real-time bidding (RTB) which is utilised by third party trackers and cookies for advertising placement and can be extended to be influencing tool in politics and social issues, as mentioned previously. 

As of December 2021 the GDPR decided that Google Analytics were considered a breach of its clauses. Data transfers to the US were responsible for this, as users are not consenting to this particular use. Under FISA law that data is visible to US Security Groups, meaning these insights were being shared beyond the consented partnership. This data should also be anonymised and protected however, it was proven that the data being shared was personalised. Google Analytics should now be consented on every website that uses it. 

Ways to Keep Yourself and Your Users Safe

      • ‘Lose some digital weight’- share less 
      • Turn off Cookies 
      • Add blockers to your websites 
      • Use more secure search engines- such as Duckduckgo and StartPage
      • Refer to our helpful guides- you can find them HERE