Blogs | Privacy and data protection | Online tracking industry / AdTech | Platform regulation | Profiling practices

Say “no” to cookies – yet see your privacy crumble?

By EDRi · December 18, 2019

Cookie banners of large French websites turn a clear “no” into “fake consent”. EDRi member noyb has filed three General Data Protection Regulation (GDPR) complaints with the French Data Protection Regulator (CNIL).

Relying on the open source extension “Cookie Glasses” developed by researchers of the French institute Inria, noyb identified countless violations of European and French cookie privacy laws. noyb found out that the French eCommerce page CDiscount, the movie guide Allociné and the fashion magazine Vanity Fair all turn a rejection of cookies by users into a “fake consent”. On 10 December 2019, noyb filed three formal complaints with the French Data Protection Authority (CNIL).

Despite users going through the trouble of “rejecting” countless cookies on CDiscount, and Vanity Fair, these websites have sent digital signals to tracking companies claiming that users have agreed to being tracked online. CDiscount has sent “fake consent” signals to 431 tracking companies per user, Allocine to 565 and Vanity Fair to 375, as the analysis of the data flows show.

Among the recipients of this “fake consent” are Facebook and the online advertising companies AppNexus and PubMatic. These companies have consequently placed tracking cookies after users have clearly objected to all tracking.

The main association for online tracking businesses, the Interactive Advertising Bureau (IAB), created a framework that plays a key role in this. All websites used the “IAB Transparency and Consent Framework”, an industry standard behind most cookie banners to communicate what noyb believe is “fake consent”. Only Facebook does currently not use the IAB Framework – but still placed cookies without consent.

Every user should be entitled to receive a clear information regarding the setting of cookies on their device, and each data controller must ensure the respect the user’s choice: refusal or acceptation of such setting.

Article 80 of the General Data Protection Regulation (GDPR) foresees that data subjects can be represented by a non-profit association. noybfiled complaints against the “fake consent” on behalf of the data subjects with the French Data Protection Regulator (CNIL).


Say “NO” to cookies – yet see your privacy crumble? (10.12.2019)

Complaint, CDiscount (10.12.2019)

Complaint, Allociné.fr (only in French, 10.12.2019)

Complaint, Vanity Fair (only in French, 10.12.2019)

Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework

AIB: TCF – Transparency & Consent Framework

(Contribution by EDRi member noyb, Austria)