2022/12/15 23:07:00

A Deceptive Privacy Consent Banner

Or, a case study in what not to do.

a cookie banner on goto website — Click Here they say

It started innocently enough. Accept the obvious blue button or choose "Change Settings" to see what you're accepting. Let's choose to change settings.

Up pops this overlay. By clicking the X in the upper right corner, you're basicaly clicking the "Agree and Proceed" button, once again, highlighted in a blue button. What happened to the settings I wanted to change? There's only 1 clickable link in all that text. Welp, click away I guess. Let's "learn more information".

What the heck is this? Once again, the prominent blue button encouraging you to click it. JUST CLICK IT YOU KNOW YOU WANT TO! It would be a shame if you didn't click that BIG BLUE BUTTON. CLICK IT! DO IT! DO EEEEEEEEEEEEEEEEEEEEET!

Ok, no. Instead let's try to decipher whatever this is telilng us. So, the NO and YES are both in greenish colors. Does the YES in white letters on a green background mean that's what is currently selected? Meaning, accept all these cookies, conveniently collapsed so you can't see to what you're agreeing? Let's click on things and see what happens.

Also, what are these REQUIRED COOKIES? These cookies so important I cannot opt out of them or the entire site falls apart.

So, like a monkey, I figured if I clicked on enough things, I'd accidentaly either write a Shakespeare sonnet or opt-out of cookies. The YES is still in greenish, now a green font on a white background. The NO is now a white font on a gray background. Gray is bad now?

Let's go back to those REQUIRED COOKIES. So required that the space-time fabric of this website will fall apart if a user is allowed to deselect them.

Uhh, that's a lot of domains. And each section has their own Terms of Service and Privacy Policy. How nice, I get to read 100+ pages of legalese to attempt to understand what they do with all my data as collected from the website.

Let's open all the collapsed sections. What is in these sections that they have to hide them by default?

Holy crap! An entire Internet of domains and cookies can and will be set in my browser. Uhh, huh. wtf.

Well, after all that, I still only have one choice: Submit Preferences, again in a big blue button. At least instead of storing all of the cookies available on the Internet, I just have a few thousand domains to choose from. Eat all the cookies!

From inside the browser, these are the required 21 cookies! Required. You can not and shall not opt out.

Luckly, the browser stores all cookies in a SQLite database. Let's open it up and see what are these super cirtical cookies I just *had* to accept.

Wait a minute! I agreed to one of the 5 million possible required domains or subdomains. Yet, the required cookies doesn't list trustarc.com. So they violate the policies on behalf of their customer? Lying liars and the lies they tell...through privacy consent polices.

Anyway, all this ran in a dedicated private window. This means that all the cookies were removed when I closed the tab.

If this is the start of their customer relations, I don't need it. And really, my emplorer doesn't need to use it. We even had a budget! Oh well, their loss.

You should also read:

Online Privacy and You

Opportunities with California Privacy Access Requests

Privacy Professor Podcast