How Cookie Banners Backfired

The DealBook newsletter delves into a single topic or theme every weekend, providing reporting and analysis that offers a better understanding of an important issue in business. If you don’t already receive the daily newsletter, sign up here.

From Washington to Brussels, policy folks are focused on digital privacy. Just this week, three states and the District of Columbia filed a series of lawsuits against Google, accusing it of violating consumers’ privacy rights. Dozens of bills have been introduced in Congress to force companies to develop digital tools that help users manage their privacy. And companies spend billions of dollars to comply with — or skirt — the labyrinth of complex privacy laws that already exist.

It just so happens that this week is known as Data Privacy Week.

But there’s an inconvenient truth about all the effort that has gone into creating and enforcing digital privacy safeguards: When it comes to the most extensive internet privacy rule yet, the public doesn’t seem to care — or, more accurately, it doesn’t seem to have the knowledge or tools to effectively benefit.

Four years ago, the European Union’s General Data Protection Regulation went into effect. It requires any website that is accessible in Europe, which means most websites, to post a notice of its privacy policy and to give people an opportunity to accept or reject cookies, the files that allow their data to be collected. When it passed, many digital privacy activists thought that digital privacy was on its way to being solved.

That’s not how things turned out. The last time a pop-up window appeared on a website and asked whether you would allow cookies to gobble up your personal data, did you actually read the fine print or think for more than five seconds before you pressed “accept?” Me neither.

“No one reads cookie banners,” said Max Schrems, an Austrian privacy advocate who played a key role in pushing for the regulation. “They’ve become almost a useless exercise.”

Actually, it is worse. In practice, the proliferation of cookie banners has both numbed people to their purpose and given companies yet another way to manipulate users.

Companies have turned cookie banners into a tool that does the opposite of what regulators intended. You’ve heard of “search engine optimization?” There are now firms, called consent management platforms, that are promising “consent rate optimization”— meaning they create cookie banners that will move people to hit the “accept” button. One simple example: According to one study, removing the “opt out” button on the front page of the cookie banner increases consent by 22 or 23 percentage points. Some of these companies say they can achieve a consent rate of 90 percent.

One prevalent consumer response is what two communications professors, Nora Draper and Joseph Turow, described in a 2019 paper as “digital resignation.” That is a state of mind in which users know full well that their data is being appropriated and monetized — and know as well that they are being manipulated online — but don’t feel that they can do anything about it. They are resigned to allowing this to take place because they view it as the unfortunate cost of being a netizen.

“Most people don’t even know what cookies are,” said Florian Schaub, a privacy expert at the University of Michigan and a co-author of several studies about cookies and cookie banners. “In our research, we have found that hitting the ‘accept’ button is not actually indicative of consent,” he added.

Of course, there’s not much doubt that people want to care about data privacy. In California, a ballot initiative strengthening the state’s privacy laws passed in 2020 with 56 percent of the vote, despite the usual opposition from the big tech companies. The new law includes the creation of the California Privacy Protection Agency to enforce the state’s data privacy rules. It will be able to issue subpoenas and have the power to issue regulations. It is hard to know yet — the new law won’t go into effect until next year — but it’s possible that greater enforcement could finally force tech companies to make it easy for consumers to make informed choices.

In the meantime, privacy activists like Mr. Schrems believe that the real answer is to create easier ways for consumers to make decisions — simple, infrequent ones — about how they are tracked. Mr. Schrems, for instance, is working on ways to eliminate cookie banners entirely by crafting software that would send automatic signals from your browser. It could work like browser settings that block pop-up ads rather than asking a user to make that decision for every website, removing the need for multiple clicks on intentionally complex banners. It would also make it much more difficult for companies to game consent.

For now, though, we’re still stuck with cookie banners. And still on our own to decipher the terms on each website and make a decision we’ve thought about — at least, when we’re not in a hurry.

What do you think? Do most internet users care about controlling their data? What tools do they need to do so effectively? Let us know: [email protected].