What are consent tools and why are they critically evaluated?

Consent Tools are tools that website operators are supposed to use to obtain user consent for cookies and other tracking methods. The article criticizes these tools because they are often not GDPR compliant and can lead to false consent, which can lead to legal problems.

What information is relevant to the user's end-device in the context of the ePrivacy Directive?

The ePrivacy Regulation requires consent for access to information stored on a user’s end-device. This applies in particular when there are no overriding interests, such as the management of user accounts. The IP address is not sufficient according to the Regulation.

What is 'Cookiegeddon' and why was it named so?

“Cookiegeddon” is the name the author has chosen for the critical assessment of consent tools. This name reflects the vulnerabilities and the lack of compliance of these tools with the ePrivacy Directive, which can lead to potential privacy violations.

Why are Google tools potentially subject to consent requirements?

Google Tools, such as Google Maps or reCAPTCHA, require consent because a single website in its domain can generate cookies, which potentially makes data transfer and processing subject to consent.

What does it mean that cookies are not text files?

The statement means that cookies are not considered as traditional text files in the context of data protection regulations, but rather as a mechanism that enables data collection and processing, regardless of whether they are explicitly stored as text files.

What role do external files such as fonts or videos play?

External files such as fonts, images, videos, and JavaScript libraries may also require consent when used in conjunction with a Google tool, as they can potentially make data transfer and processing subject to consent.

Why is puzzle solving relevant to privacy, as described?

Puzzling serves as a metaphor to illustrate the need for patience, intense engagement, and detailed analysis in order to comprehensively understand and solve privacy issues.

What strategy is recommended for solving puzzles to avoid errors?

It is recommended to focus on only one or two criteria at a time to facilitate puzzle solving and minimize the likelihood of errors. A systematic approach is crucial for this.

Sichere KI, digitaler Datenschutz & Website-Compliance

Solving a classic puzzle can also have implications for data protection. Read on why!!

Recently, I came to some important and far-reaching conclusions regarding data protection on the Internet. For me, these findings were the most remarkable thing I have personally been able to come up with recently. As far as I know, some of these findings are not at all or only very little known.

What were these findings and how did they come about?

Findings

I started with my extensive investigation of Consent Tools. I put all these tools, which I consider widely used, to a practical test. The final document is over 90 DIN A4 pages long. In addition, I looked at websites that use so-called cookie popups. Here I had some difficulty making a legal assessment. Nevertheless, so many findings were made that could be easily justified as defects that I gave the result the name Cookiegeddon.

I sent the study to the non-profit Data Protection Organisation noyb. noyb is an abbreviation for None Of Your Business, which means "It's none of your business". Shortly afterwards, I was asked if a video conference could be arranged. The team at noyb, including lawyers, needed support in evaluating technical circumstances that are standard on websites.

The lawyer asked me what information is stored in the user's end device. The answer to this question is fundamental, because the ePrivacy Directive in Article 5 Section 3 formulates it as a criterion for a duty of consent. From this short discussion and further investigations, Aha-moments emerged. After that, it suddenly became easy for me to perform a technically-legal assessment of important circumstances on websites.

Insight: Cookies are not text files

Cookies are not text files: This statement seems brief, but says a lot about the data protection market in Germany. A few who are considered competent make a recommendation or statement. All others seem to trust these experts almost blindly and write down what is given.

So was it also with cookies. In almost every data protection declaration, there is still a false statement about cookies to read: cookies are equated with text files. That this has never been true and is even more wrong today, is proven by my contribution to cookies. Cookies are not text files. Cookies are datasets.

Although I provided proof there that cookies are not text files, I had to get involved in a discussion with someone who still clings to this belief. The person, whom I know reasonably well from a lengthy phone call and several emails, only believes this, I assume, because it is convenient. Too many incorrect data protection declarations would have to be corrected if this mistake were admitted. I think it's okay to admit the mistake. After all, I had also copied it incorrectly. To make sure this doesn't happen to me again, I've been doing my own intensive research for some time now and exposing false information with evidence. The evidence approach also comes from the fact that I no longer want to struggle through tedious discussions and act as a petitioner when someone commits data protection violations.

Insight: Information stored in the user's end device

The ePrivacy Directive refers in Article 5, paragraph 3 to the fact that consent is required for access to information stored on the user's end device. This applies, provided no legitimate interest exists, which should only be cited in this scenario if it concerns the management of registered users or similar fundamental core functions.

My intention was to find out which information is stored in the user's device. I found that this is not the IP address, at least not in the sense of the ePrivacy Directive. By the way, I also found that cookies are not text files and why the ePrivacy Directive is also called cookie directive.

Insight: The cookie catastrophe

The cookie catastrophe will cause the collapse of popular consent tools, at least I hope so. In any case, the well-known providers of consent tools regularly pretend that websites can be made GDPR-compliant with their miracle tools. This may be the case in very rare cases. These cases are primarily characterized by the fact that very few, easily manageable tools are used. One example of such an easily manageable tool is Matomo, preferably in a local installation.

As soon as a website, however, uses tools from Google, Facebook, Vimeo, Adobe or other companies of this category, these tools cannot work reliably. The reasons for this are partly even provable and can be read in my article on Cookie Popups.

In addition to this theoretical proof I have also provided evidence of the failure of all consent tools I on familiar with in practice, which I have dubbed Cookiegeddon. In my Cookie Blocker practical test, among other things, websites of large companies and those of providers of such consent tools were examined. All failed miserably, is my conclusion, which can be proven (alone because not everyone would be happy if I say something like that).

Whoever wants to know how difficult or impossible it is to create a legally compliant consent query should look at my checklist for consent queries on websites.

If you want a practical example of the failure of the more well-known service providers and lawyers who are considered trustworthy, you should read my article on Google Tag Manager. There I prove, with the help of a video, that the Google Tag Manager is not a cookie-free domain. Rather, it is a tool – one could have come to this conclusion without me. Furthermore, it is not cookie-free – this is already more difficult to understand, but should be known to alleged web page data protection experts. Why lawyers are considered experts here was and still is a great riddle for me.

Insight: Consent requirement for the numerous tools from Google & Co.

Objectively, it can be shown that many Google tools including Google Maps and Google reCAPTCHA, but also embedded Vimeo videos, require consent. This is not my personal opinion, but rather technically and legally derivable. I have had my derivation confirmed by an IT lawyer. Also Google Analytics in its standard form falls under the obligation to obtain consent. You no longer need to justify yourself through references to the opinions of data protection authorities. Simply prove it after studying my contributions.

Finding: Consent requirement for Google Fonts and other auxiliary files

The consent obligation for Google Fonts can be derived clearly from Art. 5 GDPR, data minimization, among other things. Whoever brings up the speed argument should use their own file server or rent a GDPR-compliant CDN. The same applies to any other type of auxiliary files that do not reside on a third-party server with which a valid contract for commissioned processing has been concluded. As auxiliary files I designate here the following external files:

Writings
Pictures
Style files (CSS)
Videos
JavaScript-Bibliotheken

Even YouTube videos without cookies require consent due to the principle of data minimization. Nobody can credibly explain that numerous data transfers to several addresses (domains) take place without playing an embedded video. Exactly this can be proven, however, when YouTube videos are embedded via a script.

Puzzles sharpen the senses (image was automatically translated).

Summarized

My findings from the last few weeks are:

Cookies are not text files. This disproves a very widespread misconception
Consent tools do not work in practice. This refutes what hundreds of thousands of website operators believe to be true
Consent tools do not work in theory
Within the meaning of the ePrivacy Directive, cookies are primarily stored on the user's end device, but not the IP address
Every tool is potentially afflicted with cookies. All it takes is a single website worldwide to bring such a cookie into play
Most popular tools for websites require mandatory consent
The transfer of data to insecure third countries does not usually have to be used as an argument when deciding whether a tool requires consent
Consent requests can hardly be made legally secure

I find that remarkable. If you see it differently, please write to me! I on open to arguments.

The path to knowledge

What does all this have to do with puzzles? Nothing at all, actually. The question that came up: How did I arrive at these insights and the associated evidence, or why now rather than earlier? After all, I've been intensively dealing with digital data protection for several years.

It takes a long time to understand all legal requirements. Among other things, I had to familiarize myself with some usage conditions of tools like Google reCAPTCHA in order to proceed further.

Apparently, you have to deal with a complex topic for longer before new thoughts and insights emerge.

Challenge with a third party who wants to know exactly

What was certainly helpful was the discussion with a lawyer from noyb, who pestered me to understand more about the technicalities of websites. This was important for him in order to prepare a complaint against a data protection offender. We had the same basic mindset: believing something and being able to prove something are two different things. That's why I took up his question about the video link and answered it as best I could. That was enough to put an end to the question.

As a data protection officer or a person interested in data protection, you are probably familiar with this situation: you are personally quite sure that something is wrong and violates data protection rules, but you cannot make it plausible to your counterpart (customer, interlocutor, data protection objector, …).

It's been a long time since it was similar. Now a status has been reached where there is no longer any need for discussion. The facts are overwhelming. It remains to be seen what the new ePrivacy directive will bring, which partly shows a positive development, but also some setbacks. At least, it will take some time until the new version of the directive is agreed upon and comes into force.

But even after that, some facts still apply:

Transparent, easily understandable and comprehensive information must be provided on all processing operations.
Access to information on the user's end device (usually via cookies) is only permitted within narrow limits.
Cookies are not text files and never will be.
For tools from popular providers to be subject to cookies and therefore potentially subject to consent for this reason alone, it is sufficient for there to be a single website in the tool's domain worldwide that generates cookies. This cannot be said often enough, because the implications of this statement are shaking up the entire cookie market.

Puzzles sharpen perception and combination skills

Now to the puzzles and the connection to data protection.

The longer you work on a specific puzzle, the more likely you are to be able to directly recognize the finest differences in colour. What seemed unthinkable at the start becomes a matter of course after a few hours. This was also the case for me when I tried to derive the consent requirement for Google Analytics and other tools in a watertight manner, which I ultimately succeeded in doing. It took me a few weeks and over 100 A4 pages of text to present the results of my research.

I'm not sure whether puzzling sharpened my senses, whether it was by chance or hard work. In any case, I'm sure puzzles help a lot in sharpening the mind and perceptual skills. In any case, I can highly recommend such a side activity.

If you're also interested in other things than data protection and want to start puzzling, here are a few Tips for solving puzzles:

In reality, puzzling is about breaking down a complex problem into manageable sub-problems. Doing a puzzle means deliberately breaking it down and then putting it back together.
In very good lighting conditions, intuition often trumps mechanical trial and error (analogous to playing golf).
First find the edge pieces.
Edge pieces can be found more quickly if the puzzle pieces are turned over.
Sort the puzzle pieces by color or area.
After looking at a few pieces, you can see which colors and patterns are common enough, but not too common, to put them in a pile (or next to each other; piles are a bad idea for puzzle pieces).
Probably only absolute professionals are able to carry out a complex sorting process almost error-free. That's why I recommend only focusing on one or two criteria at a time to avoid getting confused. For example, first find the edge pieces, then sort the colors and not both in one go. This is certainly the wrong strategy for a puzzle world championship. For the average mortal, it is more fun and produces fewer mistakes that would destroy the productivity initially gained.
Plastic containers are suitable for sorting, as are puzzle lids (do not use the lid with the cover picture of the current puzzle, unless you like challenges).
Puzzle pieces are best recognized on white sheets of paper. A3 format or larger.
If a puzzle piece fits remarkably well, even though it doesn't fit in the end, there is a high probability that it will find its final place near the assumed location.
Depending on the quality of the puzzle, it can even happen that edge pieces only seem to fit in one position.
Unfinished puzzles can be transported on sheets of paper from an artist's supply store. To do this, place the puzzle on such a sheet, or use cardboard or an artist's canvas. Puzzle mats are often too expensive.
A daylight lamp is the best choice after daylight. If you only have a floor lamp, place it on the table so that the distance between the lamp and the puzzle surface is as large as possible.
Start by solving 500-piece puzzles, then 1000-piece puzzles. Or start directly in pairs with a 1000 piece puzzle
In addition to the color of a part, the design of the bulges and protrusions is often a good distinguishing criterion. Sometimes you can only find a part because it has a particularly distinctive shape.
In the end game, when there are only a few pieces left, it helps to sort the pieces according to their basic shape. There are six basic shapes for puzzle pieces.

Do you also do puzzles? I would be delighted to hear from you about this, as well as about your experiences with data protection or article suggestions. An article will be published shortly that looks at when it can make sense to use consent tools. However, you should refrain from using the well-known cookie tools. I will soon be providing a free one that is more effective and honest than the advertising promises you are probably all familiar with.

Incidentally, I would recommend that the better-known puzzle stores take a very critical look at their websites with regard to data protection regulations. It could be that someone will soon contact them and, in the best case, want information on data processing procedures. A tool will soon be available for this purpose, with which such requests can be created almost automatically for many websites.