Last Saturday, I handed in a paper on cookie banners. Yes, that's right — I wrote 2,500 words on the little pop-ups that tell you how a website plans to (ab)use your personal data and who they sell it to. But as long as they ask for your consent, that is fine, right?
Well, that depends on how you define consent. When I dove into research on cookie banners — oh, and there is plenty on this seemingly boring topic — I found that there is a whole industry built upon and lots of psychology behind making you click 'accept all'. This was to be expected; after all, we could suspect why this button is usually so green and clickable. But putting my hand down the cookie jar was worse than I could have imagined.
But let's first go back to 2011— the year in which 'Rolling in the Deep' charted and the ePrivacy Directive was amended to gift us beautiful new pop-up windows. This not-so-small piece of legislation required websites to ask for consent before collecting personal data that is used for marketing and tracking purposes. And because websites had to find a way to ask, they invented the annoying banners.
Over time, companies discovered behavioral influence and nudging and figured out that people are more likely to give their data if the respective button is green and all the other options are almost invisible or overly time-consuming. The best part, companies had — and still have — all the freedom to design their banners accordingly and even add small puns about baked goods.
Why should you care?
Well, that depends. But to give you an idea: the global data broker market, the market that buys and resells personal data — which cookies are a part of— was valued at 250 billion USD in 2020. Somebody makes money off of this, and it is certainly not you. Are you sure that you are not the one paying?
A little example: You use a website and provide your data for free. The website sells your data to a data broker, which, in turn, sells it to another company. This last company can then use it to catch you in a weak moment with a precisely targeted ad, and boom — you have a new, fancy washing machine you did not know you needed. In this chain, three parties earned money, and you are none of them.
In fact, you paid twice: Once with real money and once with your data.
Let us fast forward to the part where it gets even worse. One important requirement of the European General Data Protection Regulation for consent is that it is freely given and that…
…users have to be able to access a service [webpage] regardless of their choice.
Otherwise, it also would not really constitute consent, right? Well, but not with cookie walls.
I urge you to go on Bild.de, derStandard.at or gutefrage.net and have a look at the banners. If you do not have a translator browser extension or generally prefer to avoid the German language (understandably so), I will break it down for you:
They present you with two options. Paying for a monthly subscription or accepting tracking and cookies. This forces you to accept the cookies — or pay (but who really does that?) — if you want to use the website. Instead of asking for consent, this seems to be more of an eat-or-die approach or, in other words, choke on our cookies or leave our website.
But let's have a look at what the authorities say. The Austrian Data Protection authority evaluated the cookie policy of the Austrian newspaper derStandard. Since the newspaper generously offers to spare your data for a small fee of 8 Euro per month, the Austrian court decided that this does not violate the GDPR because it is not disproportionately expensive. No, really, that was their statement.
So, companies can sell you your own right to privacy, as long as they do not make it disproportionately expensive.
I am aware of the fact that Bild.de and derStandard.at are newspapers. They are more likely to have their articles behind a pay-wall anyway, as subscriptions are their main source of profit. However, this argument does not hold when websites go even further and deploy double pay-walls. The newspaper Welt.de, for example, offers to spare your data for a small fee just like its competitors. Should you, however, be as unlucky as trying to access premium content, you are greeted by yet another pay-wall. This means that you could agree to the processing of your personal data, thinking it will lead you to the desired article, and still end up having to pay.
What strikes me is the arbitrary price that is put on consumers' privacy, which is completely disconnected from the website's content. The informed in 'informed consent' has always been an issue with cookies. But now, people are asked to decide between paying money or being tracked — with the consequences of the latter being obscure to most users.
Beyond preying on users' lack of knowledge on personal data management, this practice gives birth to a new facet of surveillance capitalism — a term coined by Shoshana Zuboff. Her concept explains how personal data is commodified and sold back to the user, for example, in the form of precisely targeted ads. Cookie pay-walls even take it a step further by giving websites the opportunity to monetize the initial choice in itself. As a result, a user's preference can be commodified regardless of whether they want to share their data or not.
