Study: GDPR Increased Cookie Banners and Privacy Policies
A recent study of cookie consent banners and privacy policies before and after the GDPR effective date of May 25, 2018 offers interesting insights into cookie notices and privacy disclosures across the top 500 websites in each of the 28 European Union member states (a total of 6,759 websites). For businesses looking to benchmark their cookie banner and privacy policy disclosures against their competitors, it provides a high level overview to get started.
Cookie Banners
The study found that 62.1 percent of the surveyed websites displayed a cookie consent notice in June 2018. The number was up 16 percent from January 2018, only six months before. The GDPR compliance process is the best explanation for the jump.
However, the majority of websites continue to rely on opt-out consent mechanisms rather than an opt-in process. Only a few dozen sites asked for explicit, opt-in consent before setting cookies, from the thousands that were checked by the researchers. There are three possible explanations for this decision to avoid the opt in. First, the businesses aren’t relying on consent for the processing of the cookies and are only concerned about the ePrivacy Directive when displaying the cookie notice. Second, the businesses could be waiting for the ePrivacy Regulation (ePR) to be finalized before they make major changes to their cookie disclosures and hoping that the Data Protection Authorities (DPAs). Or, finally, the businesses may simply be making a calculated decision to implement the same practices as every one else and only change their cookie notice once a DPA tells them to do so.
The researchers went through each one of the websites to determine what type of notification the users were getting from the organization. The top cookie banner in use was the confirmation only banner, followed by no option and then checkboxes.
Here is how each category of banners was defined by the researchers:
No Option: Simply informs users about the site’s use of cookies.
Confirmation Only: Features a button with affirmative text to express the user’s consent, but no option to decline the cookies.
Binary: Provides the option to explicitly agree or decline all of the website’s cookies.
Slider: Allows users to select the level of cookie usage they are comfortable with, offering granular control as to the range of cookies allowed.
Checkboxes: Allows users to accept or deny each category of cookies manually.
Other: Complex cookie consents such as the ability to turn on/off the setting of cookies for each third party manually.
Privacy Policy Updates
The researchers also tracked privacy policy changes around GDPR. The majority of websites with privacy policies updated them in 2018 near the GDPR implementation date. Around 50% of websites updated their privacy policy in May 2018 just before GDPR went into effect. The changes more than 60% did not make any change to their privacy policy in either 2016 or 2017.
There was a nearly 5 percent increase in websites offering privacy policies, with that number rising to as much as 15.7% of websites in particular European countries. Overall, 84.5% of websites had privacy policies by May 25, 2018. Lithuania, Latvia and Estonia were the countries with the most missing privacy policies – more than 24% of the top sites lacking the required disclosure.
The average text length of privacy policies rose from a mean of 2,145 words in March 2016 to 3,603 words at the end of May 2018. The researchers noted the tension between the additional disclosures required by GDPR and its requirement for concise and readable privacy notices. We have noted the increase in length before – our own research of 63 privacy policies found the increase to be from 3,208 words (around January 1, 2018) to 4,291 words. You can read our blog post on the GDPR word count increase here.
The research paper is currently available online at this link (PDF).
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.