Let’s get creative with cookie banners! I’m sure it’s fine?

I am seeing more and more the new type cookie banner, which basically informs you of non-essential cookies, i.e. it is not required for the essential ones which is great, however…. there is some creative engineering active which is not compliant with GDPR. I am accepting non-essential cookies, for whatever the reason on my side, but this is because on the cookie side, opt-out is not set as a default. Let’s take a single example.

I was visiting the Guardian newspaper this morning and it got me thinking again about cookies. Privacy by design as a default is about ensuring that the user needs to do nothing to protect his/her privacy, data protection by default in the GDPR is based on this concept. However, what I found on the Guardian website, was most definitely not opt-in, it was opt-out, and the Guardian newspaper is British, still part of the EU?

What I observed was a very interesting technique to discourage the visitor to opt-out. When I first arrived on the Guardian newspaper website the following notice pops up on the Cookie Banner, which looks good.

We and our partners use your information – collected through cookies and similar technologies – to improve your experience on our site, analyse how you use it and show you personalised advertising.

But then it continues with the following. The default I’m OK with that is not what I would expect unless by default all cookies are in opt-out mode. But at this stage I really have no idea. My expectation as a privacy guy is that opt-out is the default setting.

However, when clicking on Options, the following message is displayed, and it still is not clear if cookies are loaded onto the visitors device as a default or not, the Off booleans are not selected, nothing is.

I went to the cookie notice and found that in fact the default was that cookies are downloaded as a default, and it is necessary to go through to another site to configure.

And this is what got me thinking. Non essential cookies as a default should be switched off, i.e. opt-out. And it should not be more difficult to opt-out than to opt-in.