“Do you accept our cookies?” : how companies try to deceive you

Do you accept our cookies how companies try to

“If it’s free, you are the product.” According to Laurent Chemla, computer scientist and author of the book Confessions of a thief: Internet, confiscated freedomit would be more accurate to say “you are the product, it’s not free”. Because Web platforms that offer their services free of charge very often require consideration, in particular by capitalizing on our attention and our data. To do this, they do not hesitate to resort to misleading designs: Dark patterns, carefully designed interfaces to trick or manipulate users by exploiting aspects of human psychology in order to get them to do things he wouldn’t do under other conditions. Their objective is to maximize the profits of the platforms by pushing you, for example, to share your personal data with companies that will process them to your disadvantage with a view to pushing you to consume and sometimes infringing on your privacy.

Some dark patterns aim to harvest your data using manipulative design within cookie consent systems. Since the implementation of the General Data Protection Regulation (GDPR), Internet users must be informed that various actors (advertising agencies, service providers, social networks, etc.) monitor their behavior and consumption habits using tracers: the famous cookies. Some are invisible and exempt from consent, as they contribute to the proper functioning of services, for example those intended for authentication. Others require your free and informed consent.

To obtain it, you are offered banners that are displayed on part of the page, or even block it completely, preventing any action on the part of the user until he has chosen to configure the various options of his consent. Within these banners, there are frequently dark patterns that use various strategies to obtain your consent more favorably. Among them, “forced action”, where users are required to accept cookies to access all the site’s functionalities, or “interface interference”, where users are encouraged to click on the button “accept all” because the design is more attractive than that of “refuse all”, or even the “obstruction strategy”, where users will have to make more than two clicks to refuse all cookies present on the site.

Misleading design 1 – Protection of personal data 0

Result ? “3% of users are actually willing to approve cookies, but more than 90% are pressured into saying yes by the misleading design”, illustrious Max Schremsfounder of the NGO None of Your Business (NOYB). A scientific study by a team of Danish researchers in human-machine interaction makes it possible to better understand the problems posed by the design of banners for consent to cookies. In September 2019, these researchers used a scrapping method (a technique that consists of using software to suck a very large amount of data from a website with scripts to generate databases) on 10,000 sites in the Kingdom. -United. It appeared that only 11.8% complied with the three legal requirements for consent to be valid, according to GDPR legislation, namely: explicit and informed consent, acceptance of cookies as simple and accessible as refusal and presence of granular choices allowing consent at all levels. If we take the first rule, we observe that 50.1% of the sites tested did not have a “refuse all” option for cookies. And among those who had it, only 12.6% had made it accessible with at least the same number of clicks as the “accept all” option. 74.3% of “decline all” options were accessible after two clicks, 0.9% after at least 3 clicks.

These authors also conducted an experimental study with 40 participants to determine whether the design used could affect consent to data sharing. The results show that the banner style (dialog boxes or pop-up windows) does not affect the level of consent. On the other hand, the choices offered in terms of consent significantly influence the choices of Internet users.

Removing the “reject all” option from the first page increases cookie consent by 22-23%, regardless of banner style. This study also shows that offering more granular consent options on the first page reduces user consent by 8-20% depending on the number of options offered. This work shows that the design of the banners can influence the obtaining of consent to the sharing of data… Which is therefore no longer so free, nor so enlightened. These are unfair practices and Internet users are not naïve: interviews carried out as part of this study confirm that they are aware that the design of the banners manipulates their consent to data sharing. The design and choice of dark obstruction patterns therefore influence consent to cookies to the detriment of the will and interests of users.

A diet against cookie overdose

The GDPR is a real step forward for European Internet users, but it is visibly poorly implemented by digital platforms. For Olivier Blazy, researcher in Cryptography at the Ecole Polytechnique, “digital companies have poorly anticipated the entry into force of the GDPR. It has been 5 years now, and some companies still seem to be discovering it. Data protection authorities are what they can to encourage companies to adapt, but these authorities clearly lack the means to do so”.

With the arrival of the Digital Services Act (DSA), one would hope that the problems related to consent for the sharing of personal data would come to a solution in the years to come, but it will not be so simple. “The DSA will potentially apply a layer of sanctions and give the main principles of good conduct for companies. We have to see if manufacturers will want to make an effort”, continues Olivier Blazy.

While waiting for the situation to improve, the researcher therefore offers a few solutions to better protect themselves: “Activate the ‘do not track’ option on your browser, which at least allows you to protect yourself from tracking cookies (from companies that play the game, but it’s one of the beginnings), or install add-ons limiting known cookies, or tracking blockers such as Privacy Badger, very easy to use and invisible on a daily basis”.

* Séverine Erhel is a lecturer in cognitive psychology at Rennes II University

lep-general-02