According to a recent study by the Ruhr University Bochum and the University of Michigan, most cookie banners on European websites are not privacy-compliant. In addition, the results of the study show which cookie notices website visitors tend to reject and which they tend to accept.
This blog post is not legal advice. As part of our work as WordPresshost , we have dealt very intensively with the data protection regulations applicable in the EU. However, we are neither lawyers nor data protection experts. We assume no liability for the completeness, topicality and correctness of the content provided by us.
There is still a lack of clarity on cookies
Since 25 May 2018, the European data protection basic regulation (GDPR) has been effective in all member states of the European Union. This means that high fines can be imposed if the requirements are not met. The aim of the GDPR is to protect personal data equally in all EU member states and to strengthen the rights of Internet users by standardising data protection.
In his guest article "Cookie Banner - But the right way!", lawyer Mario Steinberg tells us what you need to bear in mind when implementing a cookie opt-in.
The so-called ePrivacy Regulation is intended to further specify and supplement GDPR in this respect. As there are still many questions and points of discussion regarding the content of the regulation to be clarified, website operators will probably not be confronted with it until 2020. However, this does not mean that you should not prepare for it now!
In addition, a ruling by the European Court of Justice (ECJ) on July 29, 2019 declared cookie opt-ins to be a duty to warn. However, this information does not seem to have reached all website operators yet. This is at least indicated by a study that I would like to present to you below.
"*" indicates required fields
Study examines interaction with cookie banners
Researchers from Ruhr-Universität Bochum and the University of Michigan analyzed 1,000 cookie notices to find out how cookie banners are currently implemented in the EU. As part of their study, they examined, among other things, the placement of the banners, the number of choices, and whether users were pressured into consent ("nudging").
In addition, over a period of 4 months, more than 80,000 unique visits to a German shop website were investigated to see how users interact with different variations of cookie notices.
The goal of the study is to figure out how to design a cookie banner that motivates users to interact with it in a meaningful way, rather than clicking away from the notice or leaving site .
One finding of the study is likely to raise the eyebrows of many website operators and marketers. Because: The consent rate for tracking was lowest with legally compliant cookie banners.
Specifically, the study examines the following research questions:
- Does the position of the cookie banner affect whether a visitor consents or not?
- Does the number of choices or pre-filled checkboxes ("nudging") influence user interaction?
The most important results summarized
The study found that 58 percent of cookie banners are placed at the bottom of the screen and 93 percent of banners do not block interaction with the website. In addition, the position has an influence on the interaction: Cookie banners in the lower, left part of the screen receive the most attention.
86% of cookie banners do not offer any choice at all, but only inform users that cookies are used. In addition, the majority of banners (57%) try to persuade users to consent ("nudging"). This is done, for example, by visually highlighting the OK button, which confirms all pre-filled cookies, as well as by greying out the further options.
What is the impact of choice on interaction? For more complex choices (e.g., different categories of cookies that must be actively selected), most website visitors do not accept the cookies. However, if the checkboxes are already filled in and the design highlights consent, many users will adopt the default (privacy-unfriendly) settings. High interaction occurs with binary choices (one button to accept and one button to reject all cookies).
In addition, the researchers found that the term "cookies" in the banner reduced acceptance. This suggests that users associate something negative or untrustworthy with the word "cookies". Thus, an alternative headline for the cookie banner could be "Use of personal data" or "Privacy settings".
Die Forschergruppe kommt zu dem Schluss, dass nur ein Bruchteil der Nutzer (<0,1%) allen Cookies zustimmt, wenn der Banner alle Forderungen der Datenschutzbehörden regelkonform umsetzt (einzelne Cookie-Kategorien, nicht vorausgefüllt, kein nudging).
However, according to a Facebook post by lawyer Dr. Thomas Schwenke, it has not yet been decided in court whether the checkboxes of the individual cookie categories may be pre-filled or not. Until this question has been clarified in court, most webmasters will probably opt for the pre-filled option.
In summary, the study shows that the placement, the type of opt-in procedure as well as the design of the banner significantly influence the interaction of the website visitors. The differences in user interaction with the banner were between 5 and 55 percent.
What do you say to the results of the study? Do you already have a watertight cookie notice in place or are you waiting for the ePrivacy Regulation ? I'm looking forward to your comment!
Source: The study results will soon be published in a paper entitled "(Un)informed Consent: Studying GDPR Consent Notices in the Field", which is available to us in the preliminary version. The authors of the paper are Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. The graphics used are from a Twitter thread by Martin Degeling.
Contributed image: Nadine Shaabana | Unsplash