The cookie banners have been part of the Web landscape since the beginning of 2010, following the transposition into French law of two European directives that came into force in 2009. Despite the passage of years and innumerable precisions, brought by the CNIL (Commission Nationale Informatique et Libertés) of France, the settings restricting the trigger tracers, linked to the banner cookie, continue to vary greatly from one website to another.

The entry into force of the RGPD (General Regulation on Data Protection) in May 2018 has put the banner strips back on the forefront, without putting an end to the diversity of existing settings. Which are the most frequent modes of setting up at the beginning of the year 2019? What are the motivations of their adopters? So many questions to which this article proposes to sketch an answer.

The Unthinkable: the absence of a cookie banner

It has become rare, even on sites where the use of tracers and data collection tools is limited, not to note the presence of banner information cookies. Exceptions to the rule of systematically adding this element to its website are difficult to explain. Indeed, there is an innumerable number of cookie banner creation tools, some of which are directly referenced by the CNIL on its site.

To host on its own servers, or made available directly by their publishers, open-source or owners, free or paid, the offer is simply bloated. It’s impossible not to find a solution that meets his needs. With the generalization of tag management tools, the deployment of banners has become the business of a few minutes at most. It is therefore not justifiable, in 2019, to remain without a cookie banner.

The Norm: the lack of consideration of visitors’ choices

While the absence of a cookie banner is now an exception, that of a truly functional refusal mechanism integrated into the banner is the norm on sites managed by organizations with a low level of digital maturity.

Such a state of affairs is most often explained by a lack of knowledge of the legislation that leads website managers to consider that the deployment of the banner is sufficient in itself. It may even happen that no mechanism of the refusal of the tracking is proposed to the user within the banner. Another possible explanation for this state of affairs is the consequent cost of parameterization and/or the lack of competent personnel able to make the necessary modifications.

In the end, the only way for visitors to evade data collection is by blocking cookies on their browser, thereby rendering the visited website unusable. Although contrary to the regulations, because it makes it impossible to access the services offered on the sites where it is implemented, this mode of configuration remains largely proposed on the cookie information pages.

In-between: the default collection of data taking into account user choices

Structures whose level of dependence on digital is more marked and consequently the more developed knowledge and know-how, opt in most cases for default triggering of the tracers. This collection of data from the first page visited, without explicit collection of the user’s consent, is accompanied by the possibility of refusing that new data be collected, when loading a new page of the site, directly via the banner.

The choice of the user is respected, but only after a certain amount of information concerning him has been recorded. The choice of such a mode of parameterization is explained by the need to measure the ROI of the paid acquisition campaigns and more generally by the dependence of these organizations on the collected information in order to implement a strategy of piloting their activity based on data.

Blocking triggering of tracers by default would be tantamount to depriving these organizations of a vital source of information and would result in a sight-based digital ecosystem in which competition is exacerbated and investment is steadily increasing. In this context, full compliance with the regulation, which acts like a scarecrow, is constantly being deferred because of its potential negative impact on the operation of the Web device concerned.

Rational Compliance: the collection of data according to various forms of consent

The most mature organizations generally choose to take a fourth route, which is more expensive in terms of parameterization, but significantly more respectful of users’ privacy. Specifically, it is to block any data collection, as long as the user has not interacted with the first page visited via a click, or visited at least two pages, without expressing an explicit refusal on the execution of plotters.

This approach is in accordance with the instructions given by the CNIL on how to obtain explicit consent from the user. At the cost of an advanced configuration of their collection tools and a loss of certain information, because of the explicit but implicit refusals in the absence of consent expressed by some visitors, these organizations manage to comply with the legislation.

However, there are many players in this category to evolve in a gray area, where the consent in case of scrolling screen, alongside the use of user consent mutualization systems, or the choice of colors and implementation form of banners pushing the visitor to consent.

In Conclusion

“Dura lex, sed lex”, all do not seem to endorse the adage, far from it, so much can be great the complexity and impact on the activity of the websites of a setting of its banner cookie compliant with regulations. The temptation is great to privilege the collection and the exploitation of the data, on the respect of the right. There is no reason to believe that this fundamental trend, observable over the last decade, will evolve in the years to come.