“Cookie Monster”
Communications of the ACM, July 2022, Vol. 65 No. 7, Pages 30-32
Privacy
By Lorrie Faith Cranor
“We have been studying cookie consent banners in my lab at Carnegie Mellon University to gain insights into how banner design impacts user comprehension and what cookies they accept.”
European privacy laws requiring opt-in informed consent for the use of tracking cookies on websites gave rise to the now-ubiquitous cookie consent banner. Subsequently, less stringent laws in the U.S. and elsewhere have led to websites that set cookies from the get-go but display cookie banners that offer opt-outs. The Web is now littered with inscrutable cookie banners that do not seem to provide any functionality, do not deliver on claimed opt-outs, use dark patterns to nudge users to consent to all cookies, or leave users puzzled. Users respond to these misguided compliance efforts by clicking whatever seems most expedient to get obtrusive cookie banners out of the way, providing consent that is anything but informed.
We have been studying cookie consent banners in my lab at Carnegie Mellon University to gain insights into how banner design impacts user comprehension and what cookies they accept. In one study, we created a retail website and recruited participants to test it out. We randomly assigned more than 1,000 U.S. participants to see one of 12 cookie banners on the website while they were shopping. After they completed the shopping task, we asked them questions about what they had consented to and why, as well as their comprehension of words used in the banner.
Our results demonstrate that when users can just as easily select any of the available cookie options, they accept fewer cookies than when it is easiest to accept all cookies. Similar to previous studies in Europe, we found that when a banner sits unobtrusively at the bottom of the screen, many users do not interact with it, and thus end up with the website’s defaults (in the U.S., the default is usually to accept all cookies). When we replaced the banner with a persistent “cookie preferences” button that floats in the bottom-right corner of the browser, no participants interacted with the cookie preferences button at all. Beyond academic studies, A/B testing of cookie consent banners on company websites demonstrates banner design has a large impact on opt-in rates.
To help illustrate some of the problems with cookie banners, let’s look at cookie banners for four professional organizations of which I am a member.a I trust these organizations and do not believe they are trying to do anything nefarious, yet some of their cookie banners leave me perplexed.
About the Author:
Lorrie Faith Cranor is Director and Bosch Distinguished Professor in Security and Privacy Technologies, CyLab Security and Privacy Institute and FORE Systems Professor, Computer Science and Engineering & Public Policy, Carnegie Mellon University, Pittsburgh, PA, USA.
