European privacy laws requiring opt-in informed consent for the use of tracking cookies on websites gave rise to the now-ubiquitous cookie consent banner. Subsequently, less stringent laws in the U.S. and elsewhere have led to websites that set cookies from the get-go but display cookie banners that offer opt-outs. The Web is now littered with inscrutable cookie banners that do not seem to provide any functionality, do not deliver on claimed opt-outs,6 use dark patterns to nudge users to consent to all cookies,1 or leave users puzzled. Users respond to these misguided compliance efforts by clicking whatever seems most expedient to get obtrusive cookie banners out of the way, providing consent that is anything but informed.
We have been studying cookie consent banners in my lab at Carnegie Mellon University to gain insights into how banner design impacts user comprehension and what cookies they accept. In one study, we created a retail website and recruited participants to test it out. We randomly assigned more than 1,000 U.S. participants to see one of 12 cookie banners on the website while they were shopping. After they completed the shopping task, we asked them questions about what they had consented to and why, as well as their comprehension of words used in the banner.1
Our results demonstrate that when users can just as easily select any of the available cookie options, they accept fewer cookies than when it is easiest to accept all cookies. Similar to previous studies in Europe,9 we found that when a banner sits unobtrusively at the bottom of the screen, many users do not interact with it, and thus end up with the website's defaults (in the U.S., the default is usually to accept all cookies). When we replaced the banner with a persistent "cookie preferences" button that floats in the bottom-right corner of the browser, no participants interacted with the cookie preferences button at all.1 Beyond academic studies, A/B testing of cookie consent banners on company websites demonstrates banner design has a large impact on opt-in rates.8
To help illustrate some of the problems with cookie banners, let's look at cookie banners for four professional organizations of which I am a member.a I trust these organizations and do not believe they are trying to do anything nefarious, yet some of their cookie banners leave me perplexed.
The IAPP website also has a "manage cookies" link in the website footer that allows users to revisit their cookie decisions at any time and a cookie notice that enumerates the website's cookies. It is probably rare that a user would look at this, but it may be of particular interest to IAPP members.
Similarly, a cookie banner at the top of the USENIX website also offers no choices (see Figure 3). It states, "If you use this site, cookies will be stored on your device … ." There is a link to the cookie statement and one button labeled "Got it," which gives the banner a conversational feel but does not mean anything to me except that I should click it to make the banner go away. As with the IEEE banner, I am unsure why it is there.
A link for more details in the ACM cookie banner leads to a definition of each cookie type and a list of cookies. The detailed information is probably a bit much for most users but there are likely some ACM members who will appreciate this detail. ACM uses the Cookiebot CMP to generate the cookie banner and detailed "cookie declaration." The inclusion of a link to the cookie declaration in the footer of the website allows users to check and change their cookie settings, although a label such as "cookie preferences" might communicate more clearly what is behind the link.
ACM appears to be taking a privacy-protective opt-in approach for all but necessary cookies. As I have browsed the ACM website with the optional cookies turned off, I have not encountered a situation where I thought I might benefit from enabling optional cookies (this has been my experience on most websites where I opt out of cookies). This makes me wonder whether anyone turns on the optional cookies, and if not, why they are there. If those cookies are not actually needed, then ACM could stick with the necessary cookies only and turn off the cookie banner. (Inexplicably, the ACM Digital Library has a different banner than the main ACM website with a useless "Got it!" button.) One problem ACM and other organizations may face is they have components such as videos embedded in their websites that come from third parties that may set cookies the first party has no control over.
In our research we also found commonly used cookie categories are not very clear to users. Taken from a 2012 Cookie Guide published by the International Chamber of Commerce United Kingdom, these common terms include strictly necessary cookies, performance cookies, functionality cookies, and targeting cookies or advertising cookies.4 While the idea of standard cookie categories is great, the category names chosen seem to provoke misconceptions. In our study, only 16% of participants correctly identified the definition of functional cookies in a multiple-choice question and 48% correctly identified the definition of performance cookies. The term "functional" is particularly confusing because it may suggest cookies needed for websites to function, which are actually called "strictly necessary cookies." In reality, functional cookies provide extra personalization functions. Cookiebot uses the terms "preferences" and "statistics" in place of "functional" and "performance," which I suspect may be clearer—but these terms should be tested with users!
Another terminology confusion comes from the meaning of the buttons on cookie consent banners. In Europe, companies are encouraged by the data protection authorities to include "reject all" buttons next to "accept" buttons.5 However, under European law companies are not required to reject strictly necessary cookies, and sites therefore reject all the other cookies but not the strictly necessary cookies when users click the reject-all button. Buttons should be labeled more accurately "accept only necessary" or with the Cookiebot button label "use necessary cookies only."
We also found commonly used cookie categories are not very clear to users.
Organizations should take steps to improve their cookie banners7 or eliminate them altogether where they are not needed. But cookie banners are a suboptimal solution to consent management since they require users to stop and make a decision that usually is not very informed at every website they visit. In their current form they add friction and annoyance without benefiting users.
Web browser plugins are available to block tracking cookies, allowing users to effectively opt-out without having to navigate through choices on cookie banners. These tools work with varying degrees of success, sometimes causing desired website functionality such as product reviews and embedded videos to stop working.
Automated solutions have been proposed that would allow users to set opt-out preferences in their web browser and have them conveyed automatically in the background at every website a user visits. One such solution, "Do Not Track," was implemented in some web browsers more than a decade ago and widely adopted by users, but most websites ignored these automated requests not to engage in tracking.2 More recently, a system called "Global Privacy Control" was introduced to allow users to automatically send requests to not to sell their personal information to all websites they visit. These requests are considered valid under the California Consumer Privacy Act (CCPA) and websites that ignore them may face enforcement actions in California.3 GPC, which is expected to be expanded to other jurisdictions, is a step in the right direction, finally offering users the ability to opt-out of tracking everywhere without requiring them to take steps to opt-out at every website.
In the short term, organizations should clean up their cookie banners so that users can access privacy choices easily and remove banners when there are not any meaningful choices to present. Longer term, we need automated solutions to allow users to make their decisions once and have them respected everywhere. We will also need good user interfaces that help users understand when features are unavailable due to automated decisions and allow them to override in specific cases. However, we will need to be careful to prevent a proliferation of decision override prompts that annoy and manipulate users without offering informed consent or protecting privacy.
1. Habib, H. et al. "Okay, whatever": An evaluation of cookie consent interfaces. In Proceedings of the CHI Conference on Human Factors in Computing Systems (CHI '22), (Apr. 29–May 5, 2022, New Orleans, LA); https://doi.org/10.1145/3491102.3501985
2. Hill, J. 'Do Not Track,' the privacy tool used by millions of people, doesn't do anything. Gizmodo (Oct. 2018); https://bit.ly/3PvLbmH
3. Holland, J. Global privacy control popularity grows as legal status up in the air. Bloomberg Law. (Dec. 21, 2021); https://bit.ly/3wxJFYO
4. International Chamber of Commerce UK. 2012. ICC UK Cookie Guide; https://bit.ly/3wm8yri
5. La Commission nationale de l'informatique et des libertés (CNIL). Délibération no 2020-092 du 17 septembre 2020 portant adoption d'une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux "cookies et autres traceurs."; https://bit.ly/3G1C3C3
6. Matte, C., Bielova, N., and Santos, C. Do cookie banners respect my choice?: Measuring legal compliance of banners from IAB Europe's transparency and consent framework. In Proceedings of the IEEE Symposium on Security and Privacy (SP). IEEE, 2020, 791–809.
7. noyb. Many more cookie banners to go: Second wave of complaints underway. (Mar. 4, 2022); https://bit.ly/38DbI0N
8. Schepelle, C. Despite GDPR: Up to 70% Analytics Opt-in rates—Why Extensive Testing is Worth Every Minute of Effort. 2020; https://bit.ly/3PEH5Jl
9. Utz, C. et al. (Un)informed consent: Studying GDPR consent notices in the field. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19). ACM, New York, NY, USA, (2019); 973–990; https://doi.org/10.1145/3319535.3354212
The Digital Library is published by the Association for Computing Machinery. Copyright © 2022 ACM, Inc.