Why most Cookie Banners are Doomed to Fail
Cookie Consent Solutions
The UX implications
Giving or denying your consent to tracking you on every website you visit is already a burden, as it often creates an additional step before being able to access the content of the website. While this is bothersome already, most cookie banner make it fairly difficult to only accept the “essential” cookies that do not require consent. Instead they try to nudge the users towards giving consent, hiding the deny option in complex settings or tiny text buttons, saying “Only essential cookies”.
The point where all this feels even more like a setback rather than an advancement for privacy is when even after jumping through hoops to only accept the essential cookies, you still notice a bunch of obvious tracking cookies being set in your browser by that website.
There are two main reasons for tracking cookies to be set without consent:
- Bad intent: The website operator breaks the law to better get insights into their user base
- Technical challenges while implementing the cookie consent solution.
The reason for those technical challenges lies in the way most cookie consent solutions work. For them to function correctly the website developer needs to move all code that sets cookies into a special function of the cookie consent solution. After the website visitor accepts the cookies, that function is then called and all the cookies are set. In a world where everyone builds their own website from scratch that might be an acceptable solution. In reality, however, most websites use content management systems like Wordpress with a ton of plugins and embedded content. In order to properly implement a consent solution on sites like that, the user would need to modify the plugins and the CMS to move all cookie setting code to the special function of the cookie banner. What happens in reality is, that the website owner installs a random Google-Analytics Plugin from the Wordpress store which injects the Google-Analytics snippet somewhere in the pages HTML code, well out of reach of any classical cookie consent plugin. As soon as the page is now loaded, the Google-Analytics snippet is executed and the tracking cookie is set, violating the GDPRs rule for processing personal data. This shows that:
Cookie consent solutions that require the website operator to move code somewhere, are doomed to fail!
How to fix cookies being set without consent?
In order to block cookies that need consent we need to focus on the different ways a cookie can be set:
- Via the set-cookie header on a request
- Within IFrames
Blocking cookies set by requests
Here we have to differentiate whether the request is send by the domain, that our cookie consent solution is deployed on (first-party) and requests to third party services (third-party).
In case of a third-party request we are not able to block the cookie on the server of the third-party. In that case we must prevent the request itself to block the cookie. Third-party requests can be executed in various ways (e.g. by <img> tags, scripts or through XMLHttpRequest). Due to optimizations of the web browsers some of the blocking has to be done server-side by modifying the HTML response body that is send to the website visitor.
Blocking cookies set in IFrames
If the IFrame shows third-party content it is usually not possible for us to access its content due to the Same-Origin-Policy (SOP), implemented in almost all browsers. We therefore need to block the IFrame entirely if tracking cookies are set within.
Given the various ways that cookies can be set, it is necessary to meticulously create a configuration for the cookie consent solution of which cookies, third-party requests and IFrames to block. Additionally, it is necessary to update that configuration every time new cookie-setting content is added. As it is unrealistic that such a task is properly completed by non tech savy website owners or even developers, it is necessary to automate the process. By analyzing the website from a visitors perspective it is possible to autonomously create a list of all the cookies and where and how they are set.
Given the list of cookies on the website, it is still necessary to classify them whether they require previous consent or not. As most websites use similar libraries and services, we were able to create a large database of information about specific cookies. With the help of clever filter rules we are then able to automatically classify the cookies and their requirement for consent. Additionally, we are often able to map them to a specific service, allowing us to give detailed insights in their usage by third-parties. This is necessary as we need to inform website visitors about the third-parties that process their personal data.
Putting it all together
If we now combine the results of the scan with the information from the database and use it to configure our cookie consent plugin, we get a self-configuring cookie consent solution that automatically blocks cookies wherever they are set, allowing website owners to focus on their content.