If You Click (with Mouse) a Cookie
The General Data Protection Regulation (GDPR) was passed by the EU almost 10 years ago and was supposed to be “the toughest privacy and security law in the world.” Yet the collection, aggregation, and sale of user data has only increased since then. So have high-profile data breaches that expose all of that data. But what we did get was a dazzling variety of cookie consent banners on every website ever.
They are everywhere, they are annoying, and they are confusing. After taking an informal poll of friends and family who don’t do this stuff for a living, the general sentiment seemed to range from complete and utter indifference to full on paranoia. In most cases, user behavior manifested in the same way across the board: simply close that box as soon as possible. (Special mention to my dad who immediately closes the whole tab if he’s not familiar with the site.) In all cases, nobody knew what cookies are or what they do.
65% of sites, when specifically sent a “Reject All Cookies” signal, simply ignored that request
Best Laid Plans
In essence, the GDPR wanted to make companies reconsider whether they should be tracking user data at all. But instead, everyone decided that they absolutely do want to keep gathering data, which has resulted in an epidemic of pop-up banners harkening back to the days of Flash. Over the past several years, it became muscle memory to close that banner as my first interaction on any site.
If you look deeper into these banners you’ll find the picture gets even more grim. Independent testing has found that around 65% of sites, when specifically sent a “Reject All Cookies” signal, simply ignored that request and dropped tracking cookies anyway.
And that’s if you’re lucky enough to find a clear “Reject All” option. Most of the time you get some variation of a dark pattern that intentionally makes it harder to reject cookies and easier to just say “FINE ACCEPT ALL.”
The Darkest Timeline
So what are these dark patterns and how do we fight them? For answers, I went right into the belly of the beast: the internet. Dark patterns swirled all around me as I dodged and weaved, trying to get to the heart of the matter. Then I stumbled on a prestigious-looking site called williamfry.com and an article about dark patterns and how they will soon be more regulated. Jackpot!
Now, before I read this awesome article let’s get that pesky cookie banner out the way.
Hmm. Well I don’t want to Accept All Cookies. I’m writing a post about how I don’t think they’re great, so it would be pretty hypocritical of me to accept them all. I guess I’ll click Cookie Settings.
Ok great, this looks promising. They seem to care about my privacy and they wanted me to read all about that. Now, where do I click to say “No thank you cookies!” I see two buttons at the bottom, one says “Confirm My Choices” and ones says “Allow All.” Hm, Allow All sounds a lot like Accept All from the banner, so probably not that one. But Confirm My Choices is kind of confusing. Confirm what choices? Did I choose something already? Or are they using some kind of AI to guess what my choices are? Let me check out some of these tabs first.
Ok, “Strictly Necessary Cookies.” That sounds serious. I’m sure we’ve all had days where cookies felt Strictly Necessary, am I right? Ok, but seriously. So this says these are “Always Active” and can’t be switched off. So I guess there’s not much of a choice here. Better try the next tab.
Ok! So these Functional Cookies seem simple enough. They remember the choices I’ve made to enhance my experience, and there’s a toggle that’s set to “Off.” So that’s good! But wait. If I don’t turn that on, how will they remember my choices when I click “Confirm My Choices?” I better turn that one on, just to be safe.
Alright, now we’re getting somewhere. Performance Cookies sound completely optional. Wait a minute, though. Here it says “they are essential” for performance and making sure the site works. Am I crazy, or does this sound more like some Strictly Necessary Cookies? I think they might have made a mistake here. I don’t want the site to not work so I better turn this one on too.
All right, Targeting Cookies. Here we freaking go. These are the ones I will absolutely not be allowing. Just listen to this language: “Track your online activity,” “share information with other organizations,” “or ADVERTISERS?” Uh-uh, I don’t think so William Fry. I will not be turning these on. Not today. You know what, I’m actually curious to see which cookies they’re trying to foist on me. Let me click that Cookies Details link real quick.
Ok, the Cookie List. We’ve got First Party Cookies, s7.addthis.com, addthis.com, and youtube.com. Hm, not exactly what I was expecting but that’s ok. Let’s see what these cookies look like.
First up is… “TargetingtestCookie.” That doesn’t seem too bad I guess. Seems a little silly to leave a test cookie in there, but I doubt it would do much harm either. Next up we have “_gat_UA-nnnnnnnn-nn.” Another test maybe? Oh, no, this is an actual Google Analytics cookie. That makes sense, we all use GA, I’ll give them that one. The last one under First Party is named “__atrfs,” also not super helpful. But it does have a description that states:
“This domain is owned by Addthis. The main business activity is: AddThis provides web widgets that site owners embed into their pages or other content, to enable visitors to create and share links to the content across social networks. They also make use of the data collected to provide advertisers and marketers with profile information for targeted, behavioural advertising.”
This is confusing because the host of this cookie is listed as www.williamfry.com, but the description suggests that this cookie is hosted by a third party named AddThis. So either this cookie is in the wrong section or it has the wrong description. Either way my eyes are starting to glaze over and I don’t know how much I care anymore. What’s next?
Ok, three more cookies from AddThis, with identical descriptions and unintelligible names. This time we have “__atuvc,” “__atuvs,” and … “__atrfs.” Wait, wasn’t the same name as the one in the last section? [Checks notes.] Yes it was. So I guess this one is in the correct section and the other one was just… a backup?
Ok, yet another section of AddThis cookies. The last section was from s7.addthis.com but this one is from plain addthis.com. I have no idea what the difference is and I won’t be looking it up at this time. The names and descriptions are actually a lot more helpful in this section though. We’ve got “uvc” which is there to track “how often a user interacts with AddThis.” Maybe “uvc” stands for Unique Visitor Count? Then we have “xfc” and we’re back to the previous generic description that doesn’t tell us anything about what it does. So I’m going to imagine it stands for eXtremely Friendly Cookie and it just wants to hang out and be chill. And then the last one is named “loc” and it “stores the visitors [sic] geolocation to record location of sharer [sic].” That’s… not very chill, but at least it’s very clear what it’s doing. I’ll be opting out of this one, thanks.
Sigh. Now we have three cookies from YouTube. Presumably they want to use my data to send me targeted ads about other Dark Patterns I might be interested in? I’m too tired to deal with this anymore. I’m just going to confirm my choices and move on with reading this article. Remember that? The article I was trying to read?
How the Cookies Humble…d Me
According to the article, a dark pattern is “a deceptive design tactic, used in an online environment that is engineered to subtly manipulate the end user’s decision.” Gosh, I’m trying to think if I’ve ever seen an example of that.
Later on, they point us to some examples of dark patterns that are listed in the guidelines published by the European Data Protection Board (EDPB). Well, I say they point us there but they don’t actually link to the examples. They use bold letters to seem link-like but I had to search for it myself to find these examples.
Once I got there it still took me a long time to scour the 74-page PDF to find the examples they were referencing. But once I found them I think I realized why they might not want to draw too much attention to them.
“While consent must be expressed by a positive action on the part of the users, lack of consent should be considered the default state, until consent has been given. The expression of the users’ refusal should therefore not require any action on their part or should be possible through an action presenting the same degree of simplicity as the one allowing to express their consent.”
Now I’m no lawyer, but the author of this William Fry article quite literally is one — specifically in the field of Technology, Data & Comms. And to him and all the folks at William Fry I would say this: Look Inward. Reflect on the cookies you want to give me as well as the manner in which you want me to allow them. You’re far from alone in the use of dark patterns, but we need you to be better. The irony alone is enough to make me need a good lie down now.
One More Thing
As a reward for getting through that painful ordeal with me, I present you with this clip about dark patterns from the incredible John Early: Now More Than Ever. It’s so much more fun than clicking 1,000 tabs in a cookie consent banner. It’s actually kind of like a better and shorter version of this article. So you can actually just forget the article and just listen to this. And then go watch the whole special. This whole article was just an ad for his special I guess. Ok, seriously, I’m going to lie down now.
Loved the article? Hated it? Didn’t even read it?
We’d love to hear from you.
