Cookie consent or cookie manipulation?
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
The concept of consent is much more than what meets the individual’s eye when they reach a particular website. Cookies might be placed covertly on the individual’s device even before affirmatively activating the cookie and what’s more, most organisations make it extremely hard for most individuals to access websites if they don’t accept cookies. That goes against data privacy principles.
Lately, the NYOB, the non-profit privacy advocate led by Max Schrems (known for his take down of Privacy Shield and his strong voice in privacy space), recently made a complaint citing that most companies allow individuals to click to accept or manage their cookie setting without allowing them to reject all cookies. This has led to massive debate about whether by simply placing a banner on the website the company remains GDPR compliant or not.
But let’s look at a scenario to put this into perspective. A customer goes on a particular website, and he’s automatically drawn through the neon signs on most cookie banners to accept all cookies. He carries out this action without knowing that by accepting all, he has exposed himself to over four thousand vendors. Upon realising, he wants to withdraw consent but is struggling to do this and for some reasons he can’t understand why every time he has private conversation with his family and friends, he sees the advert on his Instagram feed.
There is the notion that consent should be freely given or, at least that’s what the regulation advises, but there seems to be a lot of fleeting disregard for this and the fact that one can’t access some websites without accepting consent is sort of bad business practices. Many companies don’t allow individuals access their website when they don’t accept consent. What NYOB is clamouring for, and I think, rightly so, is that companies should give data subjects the option to reject all cookies.
Not all cookies can be rejected. There are cookies that serve legitimate business purposes. For example, if Mr. A saves some items he intends to buy in a basket online (the cookie can use some text bots to recognise the customer and direct them to the items in the basket) and also there are cookies that are functional in that without them the website can’t behave optimally. That said, individuals still need to be given the right to accept or reject cookies.
Placing cookies on individuals’ devices – whether they agree or not – in these modern times is the new trend and that’s worrying. Companies must begin to treat the data collected from people as very important, and which should be treated with the principles of data protection. It is not enough to want to sell all the time. What’s important is building that trust and ensuring that when individuals visit websites of companies there is enough information shared and consent should not be used as a weapon or yardstick for measuring whether one accesses any organisation’s website. Most organisations need to change their consent management structure and thereby build a transparent and trustworthy brand.