惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
云风的 BLOG
云风的 BLOG
M
MIT News - Artificial intelligence
WordPress大学
WordPress大学
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Secure Thoughts
博客园 - 【当耐特】
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
博客园 - 司徒正美
Last Week in AI
Last Week in AI
C
Cybersecurity and Infrastructure Security Agency CISA
P
Privacy & Cybersecurity Law Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
B
Blog
The GitHub Blog
The GitHub Blog
小众软件
小众软件
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Spread Privacy
Spread Privacy
Martin Fowler
Martin Fowler
博客园 - 叶小钗
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Tenable Blog
S
Securelist
博客园 - 三生石上(FineUI控件)
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Security Blog
Microsoft Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
罗磊的独立博客
T
Threat Research - Cisco Blogs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Full Disclosure
Cloudbric
Cloudbric
The Cloudflare Blog
Y
Y Combinator Blog
Hugging Face - Blog
Hugging Face - Blog
Microsoft Azure Blog
Microsoft Azure Blog
H
Hacker News: Front Page
腾讯CDC
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
V2EX - 技术
V2EX - 技术
GbyAI
GbyAI
TaoSecurity Blog
TaoSecurity Blog
I
Intezer
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
Google Online Security Blog
Google Online Security Blog
T
The Blog of Author Tim Ferriss

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
German authority cracks down on cookie banners
Carlo Cilent · 2024-02-21 · via Blog of Simple Analytics

On February 9, the Bavaria data protection authority published a press release (German only) on the results of a large-scale, partly automated investigation on cookies. The authority suspects that at least 350 websites and 15 apps are violating EU law and placing cookies without consent.

While the investigation is only preliminary, there are some important aspects that are worth discussing.

  1. Why does this investigation matter?
  2. What was wrong with the cookie banners?
  3. Are deceptive cookie banners legal?
  4. Why do I still see a bunch of deceptive cookie banners?
  5. The bigger picture
  6. Final Thoughts

Why does this investigation matter?

The press release highlights two important points. First, the authority requires a “reject all” option at the first lever of the cookie banner- something the European Data Protection Board insists on as well. Second, the authority used automated tools for large-scale investigation and is looking to further explore their use in the future.

Let’s start from the cookie banners. What problems did the authority find, and how can you avoid them in your own website?

According to the authority, most cookie banners did not provide a "reject all" option in the first layer. This might seem like a minor point, but it istn't, and here's why.

Let me ask you something: when was the last time you found it difficult or confusing to accept cookies from a website? The answer is probably never. Rejecting cookies is usually annoying, confusing, and tedious. And yet, accepting them is easy as pie.

This is by design. EU law requires consent for cookies (with narrow carve-outs that don’t really apply to web analytics). Websites cannot track you without your consent, so they go out of their way to make the process of rejecting cookies as difficult and annoying as possible.

Typically, a “reject cookies” option is found at a deeper level of the cookie banner and is buried between other useless, confusing options. This turns the cookie banner into an annoying little puzzle: you either take the time to solve it, or accept all cookies and move on with your life. There are other tricks in the crappy cookie banner toolbox but hiding the “reject all” option in a second layer is the main one.

The trick works. Many users simply lack the digital literacy to work out the intentionally confusing language and layout of cookie banners. We are talking about millions of people who are systematically pushed around by non-compliant websites! Even better equipped users often give in to fatigue because playing the dumb cookie minigame for every single website is annoying and time-consuming.

No. If I click on the “accept all” button because I lack the time/patience/digital literacy to figure out how to “solve” a deceptive cookie pop-up, I did not consent freely and my consent is, therefore, completely meaningless under the GDPR.

This is also the position of the European Data Protection Board (that is, the EU institution that brings privacy authorities together). A recent EDPB document insists that cookie pop-ups must make it easy to reject consent, by presenting a “reject all” option in the first layer. And while this is not an entirely unanimous position, it is the position of the vast majority of privacy watchdogs across Europe, and the Bavarian authority expressly refers to it in its press release.

In practical terms, this means that European authorities really, really dislike deceptive cookie banners. Not just burying the “reject” button in the second layer- the whole bag of tricks, too.

The Bavarian authority didn’t really say anything new. We have had these rules on cookie consent for decades now- they are older than the GDPR itself.

Enforcement is the issue. Many privacy authorities around Europe do good work but budget and staffing limitations prevent them from doing more. They are not in a position to go after every single website using a non-compliant cookie banner.

This is why the use of automated tools is important. Automating a preliminary phase of the work could allow authorities to enforce the law more effectively, and to threaten companies with large-scale investigations like the one launched in Bavaria.

This is the first time a European privacy authority uses software to automate a part of the fact-finding work, but the strategy is not completely new in the privacy space: privacy NGO noyb successfully used similar tools for large-scale litigation against cookie non-compliance, despite modest staffing and technical means.

Bottom line: automated tools are no substitute for proper funding, but they can be of great help nonetheless. They are a very interesting tool and we hope to see authorities take a page from Bavaria and explore their use.

(And let’s be clear: no one is going to get fined just because the computer says so! The authority only automated the “dumbest” part of the work. Fines can only come after human investigation of each case, and websites will be able to defend themselves in a proper legal procedure)

The bigger picture

All of this discussion about pop-ups design might seem like nitpicking, but it isn’t. Deceptive design in cookie banners is the symptom of a broader problem.

Companies like to track users, but users do not like to be tracked. 96% of iPhone users opted out of third-party data collection as soon as Apple gave them the option to do so. And by 2022, 35% of Internet users worldwide were using an ad blocker, despite ad-blocking not being a built-in feature of default browsers.

Because users don’t like being tracked, the ad tech industry needs to appeal to a fiction of consent while using every trick in the bag to extort consent. This fiction plays a crucial role in how the ad tech industry legitimizes the use of invasive and harmful tracking tools in an increasingly privacy-concerned world.

We see this strategy at play in other scenarios, too. Google claims that Android users somehow all consented to being tracked through their advertising IDs, despite the fact that they were never asked in the first place. And Meta claims that you are “free” to consent to being profiled- never mind that the alternative is paying €250 per year.

But the GDPR makes this fiction difficult to uphold. This is why regulators have been giving Meta hell over its business model for a while now, and why litigation against the misuse of Google Analytics and similar tracking tools is becoming increasingly successful at a European level (for instance, the recent and potentially game-changing victory against ad tech giant Criteo).

Final Thoughts

One step at a time, the momentum is finally swinging against online surveillance. Eluding the rules is still possible but is getting riskier by the day.

If you want to ensure that your cookie banner is compliant, check out our blog on the topic. But make no mistake: compliance cookie banner design drives opt-in rates down by a significant margin. That is why so many websites are violating the clear rules we have!

So, there is a fundamental trade-off for cookie-based analytics. You can have good opt-in rates, or compliance.

We built Simple Analytics so that you don’t have to choose. We give you all the insights you need on your website’s performance without using cookies and collecting a single bit of personal data. Our software is lightweight and easy to learn, with an intuitive UI and a handy AI assistant.

If this sounds good to you, feel free to give us a try!