June Update - Do you consent?

The rushed, rough and rogue UX of services getting you to opt-in.

This post is one of our regular monthly blogs accompanying an update to the data displayed on WhoTracks.Me. In these posts we introduce what data has been added as well as point out interesting trends and case-studies we found in the last month. Previous month's posts can be found here: May 2018, April 2018.

This month the site has been updated with tracker data from 370 million page loads during May 2018. We've expanded the number of trackers shown further to over 1,000, and we now show information for the top 1,750 websites. We also have published regional versions of the data for the US, France and Germany, allowing regional disparities to be investigated. This regional data is not yet visible on the site - regional stats are planned for an upcoming design update.

As we mentioned last month, the GDPR has now come into force, which is expected to have an effect on how the data collected via online tracking is handled. So far, the main observation is that sites have deployed complex consent dialogs, trying to get users to consent to being tracked on their sites. We can already observe the rise of third parties offering the services behind these consent dialogs.

Despite the changes in regulation, we see no evidence of a reduction in the number of third parties loaded on websites this month (also when doing a week-by-week analysis). The average number of third-parties loaded on popular websites remained at 8.5, which is the same as in April.

One observable result of the GDPR is a rise in the user of Consent Management Platforms (CMPs) by websites. These services manage the cookie consent notices shown. Now that GDPR is in place, European users should be informed of all services collecting data on the site, and be able to opt-out of certain practices and data collection. This means that these CMPs have become much more prominent, providing deeper controls, and propagating user consent to the third-party services.

The WhoTracks.Me data has tracked the rise of several CMPs appearing this month, as well as existing providers increasing their presence. With our data we can detect where they are present and then compare their approaches to asking for user consent, and we present a short survey of these here:

TrustArc

TrustArc (formally TRUSTe) have been providing cookie consent dialogs since the original ePrivacy regulation introduce the concept. Our data shows that their reach has doubled in recent months as they have obviously gained customers using their services for GDPR compliance.

Their familiar consent popup now has improved opt-out capabilities. These are however hidden behind a More Information link. This popup has not changed from the pre-GDPR options, so users may not realise that improved opt-out options are hidden behind this button. The styling of the button as a link also does not suggest that consent can be configured.

TrustArc Consent popup

TrustArc: Consent popup.

The More Information button leads to a screen where consent can be specified for different cookie types. On the tested site (MyFitnessPal.com) this view had all types enabled by default.

TrustArc Consent settings

TrustArc: Choosing consent settings.

After submitting, we hit a processing dialog. In our testing this processing takes minutes to complete, and blocks access to the underlying page until it completes. This poor user-experience is may reduce the amount of users who will actually take the time to express consent settings. After waiting minutes once, they may subsequently simply agree to all, or just abandon sites who present this dialog.

TrustArc Consent submission

TrustArc: Processing......

Another manifestation of the TrustArc CMP, found on Weather Underground provides a more detailed popup, including details of the third-parties in each category. This version, however, also suffers from a long processing time once consent has been expressed.

TrustArc detailed consent settings

TrustArc: Detailed view

In response to the GDPR, the IAB proposed a framework for propagating user consent through ad-networks. The GDPR Transparency and Consent Framework aims to create a standardised expression of consent which can be passed around ad networks.

In this framework, CMPs are registered and a first party cookie specifies which CMP obtained the consent on this site, and which purposes and vendors are permitted. The CMP code and vendor list are served from a single domain, consensu.org, which means we can measure that it is already in use on 0.5% of sites.

An example of this framework can be seen on SourceForge. In this case, Quantserve acts as the CMP to set the IAB consent cookie. Note this framework allows first-party and third-party consents to be specified separately for a standardised set of purposes.

Sourceforge Consent popup
Sourceforge Consent settings

Quantserve consent dialog, using the IAB framework

Unlike the TrustArc consent, opting out in this dialog is instant. Furthermore, in testing, all options were disabled by default, and a blanket opt out is also made easy.

Cookiebot

A new service which appeared in our data this month is Cookiebot, which is already present on 0.3% of websites. They provide a very simple clean dialog to allow quick specification of consent.

One site using this service is Gitlab. We note here that all options are selected by default, and consent is assumed even if the user does not click 'OK'.

Cookiebot dialog basic view

Cookiebot dialog on gitlab.com.

The 'Show details' button provides more detailed information about which providers and cookies fall under each category.

Cookiebot dialog detailed view

Cookiebot detailed view.

In this case the opt-out is also instant.

OneTrust

Lastly, OneTrust. This service does not appear among the top trackers this month, however we can still see its presence on some sites.

One feature of this CMP seems to be its configurability. We find multiple different levels of options available on different sites. Firstly, the cookie banner, shown on the bottom of the page, may provide configurability via a 'More Information' button. For example on CNN:

OneTrust banner on cnn.com

OneTrust banner on CNN

However, we also found examples where one can only accept, for example on express.de:

OneTrust banner on express.de

OneTrust banner on express.de

Secondly, the information dialog may or may not allow the user to opt-out. We can compare the dialogs on cnn.com and mailchimp.com. On MailChimp, all non-essential cookie categories offer an opt-out, while on CNN the interface only provides information about the category, with no options for the user except accept.

OneTrust Privacy Preference Center on cnn.com
OneTrust Privacy Preference Center on MailChimp.com

OneTrust Preference Center on cnn.com and mailchimp.com

Again, opt-out (when available) is instant.

Conclusion

Since GDPR came into force we have seen a marked increase in cookie consent, many of which block access to the page until consent is obtained. These CMPs aim to standardise the process, making it easier for users to quickly express their preferences. However, as we have seen in this article, the current main CMPs differ in their approach to the problem.

As many publishers main aim from deploying a CMP will be to achieve maximum opt-in, while remaining compliant with the law, there is a strong incentive for platforms to deceive users into consenting. Examples such as TrustArc show some dark patterns which nudge users to accepting all. Platforms which provide clear opt-outs, and leave options unticked by default may suffer for providing a better user experience.

The importance of consent for publishers who rely on advertising revenue, and their willingness to test users' goodwill in order to obtain consent can be seen from this dialog, seen when visiting GHacks having opted out of data collection.

Dialog asking for user to reconsider consent settings

Dialog on seen ghacks.net.

Despite criticism of its method of communicating user consent, the openness of the IAB Framework is welcome, as it opens up the possibility for standardised browser interfaces for consent. This would take control of the consent UX out of the hands of site owners, who will be incentivised to 'cheat', and make it neutral and consistent.