Written by Nick Heer.

Examining the Terraced Privacy Policies of the Hundreds of Companies With Which a Website May Share Your Data

Gary Warner:

But that isn’t today’s topic. Today, we look at how GDPR is being interpreted to require websites to share information about their cookie policies. This morning as I was reading the news, The Guardian popped up a little box on my iPad asking me if I’d like to consent to their Cookie Policy.


There are 577 Vendors to whom this policy applies.

And guess what, each of them helpfully has a Privacy Policy of their own! If you would like to see what each of THEM are going to do with your data, you need to read an additional 577 Privacy Policies.

Imagine doing that for every single widely-used website.

Bottom line? GDPR is not protecting you from ANYTHING. It has created an impossible legal hurdle which guarantees that you will NEVER HAVE PRIVACY AGAIN. (While simultaneous [sic] GRANTING privacy to those drug dealers, malware distributors, and human traffickers that we are trying to identify.)

I’m not sure where Warner gets the idea that GDPR grants enhanced privacy to criminals, but I sympathize with his claim that it isn’t adequately protecting users — though I do not fully agree. For a start, it seems unlikely that we would be having this conversation without awareness of the issue, which few people would have if not for the debate over GDPR and its subsequent enactment.

More relevant, however, is that many of these consent notices violate the law, according to reporting by Natasha Lomas of TechCrunch:

For the study, the researchers scraped the top 10,000 U.K. websites, as ranked by Alexa, to gather data on the most prevalent [consent management platforms, or CMPs] in the market — which are made by five companies: QuantCast, OneTrust, TrustArc, Cookiebot and Crownpeak — and analyzed how the design and configurations of these tools affected internet users’ choices. (They obtained a data set of 680 CMP instances via their method — a sample they calculate is representative of at least 57% of the total population of the top 10,000 sites that run a CMP, given prior research found only around a fifth do so.)

Implicit consent — aka (illegally) inferring consent via non-affirmative user actions (such as the user visiting or scrolling on the website or a failure to respond to a consent pop-up or closing it without a response) — was found to be common (32.5%) among the studied sites.


They also found that the vast majority of CMPs make rejecting all tracking “substantially more difficult than accepting it” — with a majority (50.1%) of studied sites not having a “reject all” button. While only a tiny minority (12.6%) of sites had a ‘reject all’ button accessible with the same or fewer number of clicks as an “accept all” button.

As Lomas points out, enforcement of GDPR’s policies remains lax and compliance continues to be poor. Despite these weaknesses, GDPR and its Californian cousin are having a limited positive effect. Better regulatory frameworks are needed to govern the storage and use of personal data, and reduce its ability to be hoarded by monolithic companies.

Who knows? Maybe we’ll get to a point where people can once again visit websites with the confidence that they are not being mined, stalked, preyed upon, or taken advantage of.