In May 2012 it became law across Europe that websites needed to include a cookies policy and provide users of that website with a choice on how the data is used.
We wrote about it in May of that year and in it we said “To you and me what this means is that we are supposed to now ask people if it is OK for us to use cookies on our sites rather than relying on them to decline them. Simply put we now need to ask for permission.”
Fast forward eight years and we are now used to the daily intrusion of a cookies pop up, so much so that most people simply hit ‘accept’ and move on, as the interstitial is an interruption of the search journey. And given that most of us now search using our mobile devices, something less frequent in 2012, we know that unless you do something you simply can’t get past the cookies policy.
As I said, most people simply click ’accept’ and move on to whatever they want to read, but do they actually know what they are agreeing to?
Some of the best websites make it crystal clear, like the ASA/CAP website which shows all cookie functionality at the side. They break theirs down into four areas and give users a clear choice of what they agree to, like this;
Our use of cookies
We use necessary cookies to make our site work. We’d also like to set optional analytics cookies to help us improve it. We won’t set optional cookies unless you enable them below. Using this tool will set a cookie on your device to remember your preferences.
Necessary cookies
Necessary cookies enable core functionality such as security, page navigation and access to logged-in areas. You may disable these cookies by changing your browser settings, but this will affect how the website functions.
Analytics cookies
We would like to set Google Analytics cookies to help us improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone. For more information on how these cookies work, please see our cookies page.
Preferences
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Other websites, like The Sun say this;
We Need Your Consent
We and our partners may store and access personal data like cookies (the techy kind) or IP address on your device and process such data to personalise your Sun experience and show ads we think (hope!) you’ll like.
Store and/or access information on a device
Cookies, device identifiers, or other information can be stored or accessed on your device for the purposes presented to you.
Personalised ads and content, ad and content measurement, audience insights and product development
Ads and content can be personalised based on a profile. More data can be added to better personalise ads and content. Ad and content performance can be measured. Insights about audiences who saw the ads and content can be derived. Data can be used to build or improve user experience, systems and software.
If you’re ok with this and want to get on with reading The Sun, click ‘Fine By Me!’. Or you can read the boring stuff – like how you can change your settings or withdraw your consent at any time – by clicking ‘Cookie Settings’. This section also explains how our partners may claim what’s called a ‘legitimate interest’ for processing, instead of consent. This is standard stuff, but if you don’t like it you can object by changing your settings. And if you made it this far, congratulations! Our lawyers will be delighted.
So far so good. A policy with a sense of humour and the ability for you to opt out of being tracked and targeted for advertising purposes.
But what of the websites that don’t allow you to do this? What can we do?
Just this weekend, the following popped up on my screen as I followed a link from social media, to a news story on itv.com.
The same warning appears on a desktop like this;
On the face of it, a humorous attempt (like The Sun) at lightening something required by law.
But the difference here is that you can’t opt out. And that’s unacceptable.
If you click on “Whoa! Hang on a minute…How do I change my cookie settings?” It takes you to another page, the one containing the terms and conditions and I’m sure there will be instructions on how to do it somewhere within that page.
Except I can’t see it, because of….the Cookies pop up. On both mobile and desktop, I’m faced with the same problem.
And I can’t get past this at any point unless I click on “Yes, agreed!” And that’s not a choice.
ITV would be as well to review this as despite a slow start, Governments and regulators are now starting to take this very seriously, as the issue is now folded into GDPR laws and they are starting to bite.
Looking across the Channel to France we find that CNIL (Commission Nationale de l’Informatique et des Libertés), the French equivalent to our ICO (Information Commissioners Office) fined AMAZON EUROPE CORE 35 million euros in December 2020, for having placed advertising cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information.
On the same day, they also fined the companies GOOGLE LLC and GOOGLE IRELAND LIMITED a total of 100 million euros for having placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information.
To these businesses, it’s probably just the price of doing business, but to the rest of the world, it should act as a warning shot across the bows.
And it’s not just France who are pursuing businesses.
On 17th December 2019, The Belgian DPA imposed a fine of €15000 on a website specialized in legal news for their noncompliant cookie management and privacy policy. And a month earlier the Spanish courts issued a 30,000 Euros fine to Vueling, a Spanish site specialising in flights and travel.
Today, the Vueling website is dominated by a huge cookies option box (see below) but the ruling is particularly interesting. It said;
When accessing online the cookie policy of the URL page: https://www.vueling.com/es , users are informed about what cookies are and what cookies they use. It also communicates that Vueling can use the information by itself or through third parties such as, beacons, Pixel tags and Local storage, evaluations and statistical calculations on anonymous data, indicating “such information will not be used for any other purpose”. They also report that they may use third-party analytics cookies.
However, on the management of cookies, the company merely indicates that: “you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive. You can also use “do not track” tracking cookie blocking tools. It is also noted that, “you can revoke at any time the consent given for the use of cookies by Vueling, configuring the browser for this purpose and that you can adjust the browser settings to prevent the installation of cookies websites or third parties in general.”
What the company does not provide is a management system or cookie configuration panel that allows the user to delete them in a granular way. To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular way in order to manage the preferences of each user. On this subject, it is considered that the information offered on the tools provided in the browsers of the computers to configure cookies would be complementary to the previous one, but insufficient for the intended purpose of allowing you to configure preferences in granular or selective form.
And this is the nub of the problem with ITV.
To get past their cookies interstitial you have to first agree to allow them to add any cookies they want to your browser, irrespective of whether you are going to agree or reject them later.
Not only is this against the spirit of the law, it’s against the letter as well.
The ICO make it clear on their website that;
You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.
There is an exception for cookies that are essential to provide an online service at someone’s request (eg to remember what’s in their online basket, or to ensure security in online banking).
The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device.
Clearly, the ITV website is in material breach of the GDPR regulations and one can only hope, given we’ve chosen to publicise the fact, that they will remedy this quickly before the ICO are forced to act upon this oversight.
