tl;dr: This post is an brief analysis about the issue of having so many “opt-in” banners about cookie consent policies, using mainly the GDPR as legal basis to this subject. Cookies are necessary to the technical proceedings and operations on many web servers, but it doesn’t mean we don’t get tired of ticking so many checkboxes online.
You probably noticed that in the last few years most of sites are welcoming newcomers users with some kind of a banner, or a pop-up window, with a friendly message asking you to accept some cookies in order to access and enjoy the content of their pages.
There is a reason for it, and if you are the owner of some webpage that collects some user data, even if you are not sending it to third-party companies that generates analytics or user’s behaviors reports, you should probably start doing it too. I know, it’s frustrating, but it’s necessary. Let’s find out why.
Compliance and Accountability
The first thing we need to know about, in order to understand what those cookies mean, and why the companies are so worried about asking users to consent to this action, is due to compliance. In matter of legal aspects, it describes the needs to conform to the rules imposed to that subject or that proper area, and that also includes the law, standards and regulations.
Photo by Hassan Pasha on Unsplash
In matter of webpages, for instance, located in the European Union (EU), in the European Economic Area (EEA) or in the United Kingdom (whose state version, the UK-GDPR, is almost identical to the EU-GDPR), those owners of those pages must inform and obtain the authorization from the users whose data are being processed, whether for purposes of performance analysis, user experience metrics (UX) or even to target more relevant ads to the audience of their sites. This is what predicts the General Data Protection Regulation, or GDPR, one of the legal diplomas that disposes about privacy and personal data protection for people inside and outside those States.
💡 If you do not reside in the aforementioned countries, but does any operation involving processing of personal data from people or companies located in the countries where the GDPR rules applies, this law is also mandatory. This is what the Article 3(1) of GDPR disposes: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.
In fact, even if the website transfers these information to third-parties (who will process this data), those responsible for collect, organize and, finally, the processing of this personal data must ensure they do so within one of the disposed lawful basis.
And what are those lawful basis? The UK-GDPR predicts at least six of them:
- By consent;
- By contract;
- By legal obligation;
- For vital interests;
- For public interest or legal authority;
- For legitimate interests.
For the purposes of this article, we will solely focus on the first two of them: by consent; and by contract.
Lawful basis of GDPR
The lawful basis of contracts is usually associated with an agreement set by the parties, such as an employment contract or an obligation contracted by a company to store the personal data sent by the other party in order to process it, for example, to generate analytical reports used for decision-making.
Notice that when the law says personal data it does not mean just the full name, address, or telephone number of these data subjects. In fact, personal data means any information that can really identify that person. So, even if we are working with two different databases, where one of them contains the full name of a natural person, and the other one has the address associated with it, if we do an intersection of these two data sources, it allows us to identify this person. Therefore, both of them contains personal data.
On the other hand, the legal basis of consent is generally the easiest one to obtain, because the data subject (to whom the data relates) can state that agrees with the collect and processing of their personal data, and does authorize the website’s owner to do so in order to fulfill specific purposes, unless it does not violates any law or misuses this information.
It means that these responsible for the website must be transparent, fair, and accurate at the time of collect. And if they want to transmit this data to third-parties, which GDPR refers to as data processors, they must also act in accordance with the law and with the purposes that the contract between the parties was established.
💡 If you are a developer and want to adapt to these rules, you must obtain the explicit consent of the data subjects before processing their personal information using cookies or any other third-party resources. Also, it is important to keep a log on when and how you obtained this consent, in a secure manner. You must also allow users to change their preferences later, revoking access to the information and deleting it.
For those reasons, we are often seeing alerts and requests to allow cookies in order to continue using the website. But, what if we don’t accept cookies? And if we don’t agree to our personal data to be collected, processed and used, even within purposes permitted by law, what do we do?
The answer is not simple.
Photo by Nicolás Varela on Unsplash
It happens that, in many cases, those responsible for the sites - we will call them, from now on, data controllers, as GDPR did, but do not confuse them with data processors, the third-parties, ok? - allows the user to choose which cookies are used. In general, most sites display a list where the user can select and allow just the ones they deem convenient. However, not all cookies can always be denied.
💡 Although there is a few mentions on cookies in the GDPR and in the ePrivacy Directive, another regulation that conducts this mechanisms, both data governance regulations must be interpreted together. For the purposes of this article, we will focus on GDPR only.
Some cookies are vital to the website’s functions, due to the nature of cookies: they store valuable information about the user’s activity in the internet browser.
The reason for cookies - or, HTTP Cookies, the most appropriate technical term - is to allow webpages to store user’s preferences and information while browsing. Cookies can temporarily save, as long as the duration of a session, for instance, user’s login credentials for a social network, so it can prevent us to repeat the same step every time we click on a link or press F5 to refresh a page. Likewise, cookies may contain payment information for online shopping, responses to an electronic form, and other data.
💡 Why do we call it cookies? The term is a derivation of “magic cookies”, a concept of Unix computing for transmitting information between the sender and the receiver.
For the purposes of this article, we will not cover the technical description on how cookies work. It is important, however, that you understand that cookies are important for storing user’s session information, and work as “identification data” or “badge” on the server. Also, remember that cookies can contains personal and specific data about the user, and that’s why that data controllers must implement good security practices in order to protect access and storage on their servers.
💡 There is a recent discussion about new alternatives to cookies, such as Federated Cohort Learning (FLoC), endorsed by Google, which aims to cluster people with relevant interests into large groups. FLoC has not been implemented for the general audience yet, but many people have already expressed concerns about this technology that will impact the advertising and digital marketing, for privacy reasons mainly. But this controversy is a subject for another post.
More cookies, fewer banners?
Now that we know what cookies are, and why they are necessary for websites, we can conclude that it is not easy for data controllers to choose to completely remove the banners and pop-ups windows that have been chasing us on almost all websites lately, calling for our attention in order to offer us some.
“Sharing is Caring”, by Light Roast Comics.
Certainly, because data controllers must comply with specific laws and regulations, they cannot refrain from obtaining at least one of the lawful basis for processing users’ personal data, but this does not mean that there are no other ways of doing it in a safe way, and also in accordance with GDPR, in compliance with the transparency and efficiency principles.
On the other hand, the option to avoid banners and consider consent to be implied, however, is not a valid option, according to the UK’s Information Commissioner’s Office: “your users must take a clear and positive action to consent to non-essential cookies”. The same goes for pre-ticked checkboxes on non-essential cookies: “pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies”. In order to obtain the user’s consent for cookies considered non-essential for the server’s workings, is required a “positive action” by the user, that must consent to the collect and processing data by clicking on an “Allow” button, or by checking a “Consent” checkbox.
Example of cookie notice on a website. In this case, the React Cookie Notice component.
If there are no other ways, after all, to obtain cookies, there are three possible options: (a) we can simply continue and accept it, which may displease the most concerned users about privacy and data protection; (b) suggest authorities to review and to regulate new rules on cookies and procedures for obtaining consent; or (c) seek less intrusive ways to obtaining consent and also the good practices in order to not negatively impact the user’s experience.
Changes may come
In fact, criticisms on cookie consent policies have had an effect, and the European authorities have updated their guidelines on the interpretation of legal rules on this topic. However, the problem of thousands of pages displaying banners, pop-ups and their “cookie walls” still persists, and has raised questions even internationally.
The privacy and data protection policy is a right as well as an obligation, as it ensures greater transparency to data subjects, while imposing the need for accountability and compliance for both data controllers and data processors. Also, the new rules have caused the phenomenon of “opt-in fatigue”, which we hope will be resolved soon.
Do you have any suggestion on how to solve the problem of so many opt-in on the webpages that we access? Don’t you think it as a problem? Do you think there is something to be done on this way? Comment below your opinion or your suggestion about this subject. 📢
 Data protection under GDPR. (2021, March 26). Your Europe. https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/.
 Koch, R. (2019, May 9). Cookies, the GDPR, and the ePrivacy Directive. GDPR.EU. https://gdpr.eu/cookies/.
 Using HTTP cookies - HTTP | MDN. (2021, April 13). MDN Web Docs. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies.
Disclaimer: This article does contains some legal information for educational purposes only, but does not contain legal advice on any subject matter. If you need professional advice regarding your specific circumstances, please consult your attorney.