Most people would agree with this statement: “Pop-ups are annoying.”
A rather amusing article in The Verge laments the recent unfortunate revival of website pop-ups, which the author describes as dogging them through the hellscape of their internet experience with messages pushing them to like, subscribe, click, listen, sign in and accept all.
But some pop-ups aren’t just detrimental to the user experience of a website – they’re worse than pointless from a privacy perspective.
Under fire
Although it’s not legally required, many websites in the US have started using cookie banners in a misguided attempt to protect themselves from lawyers who smell blood in the water.
The plaintiff’s bar is well known for getting creative with their application of the law to support often tenuous class-action claims, including the 1998 Video Privacy Protection Act (VPPA) and state anti-wiretapping statutes. Both are increasingly used as the basis for privacy-focused lawsuits.
The VPPA, for example, is a law that was passed back when Blockbuster was still a hot commodity. It prohibits “video tape service providers” from sharing personally identifiable information about the videos someone has watched without their permission.
Several years ago, a wave of lawsuits attempted to extend the definition of “video tape service provider” to any business that has a website capable of playing video, such as Hulu. More recently, lawyers have been trying to broaden the definition even further to include social platforms.
According to an analysis by Bloomberg Law, at least 47 proposed class-action lawsuits were filed between October and February 2022 claiming that Meta is in violation of the VPPA because its tracking pixel shares personal video consumption data with Facebook without consent.
These suits have met with mixed success. Some have been thrown out, some were voluntarily pulled, and others have been allowed to proceed. But companies are still nervous.
And so some are using cookie banners and tracking consent pop-ups on their websites as an ill-conceived shield from frivolous lawsuits.
AdExchanger Daily
Get our editors’ roundup delivered to your inbox every weekday.
Daily Roundup
The “cons” in consent
But there are a lot of problems with that “strategy.”
One: It’s reactive to lawyers as opposed to laws, at least in the US. There’s no legal basis for cookie banners outside of Europe. Most cookie banners are designed to address EU data protection obligations (and not all that effectively, if we’re being honest).
Unlike GDPR, which is an opt-in law, US laws mostly take an opt-out approach (other than for certain types of sensitive information).
Two: Cookie banners don’t help companies comply with US state privacy laws, none of which require consent pop-ups.
“These banners are regularly repackaged and marketed by consent management platforms as US privacy-complaint,” Daniel Goldberg, a partner at Frankfurt Kurnit Klein & Selz, told me. “Companies that deploy cookie banners may believe that they have satisfied ‘Do Not Sell’ and other opt-out obligations under US law when they actually have not.”
Three: People hate pop-ups, and the more they’re forced to see them, the less they register. Decision fatigue is real.
Four: Cookie banners are open to misinterpretation.
At an IAB Tech Lab Rearc privacy event in New York City in February, Jessica Lee, a partner and chair of the privacy, security and data innovation practice at Loeb & Loeb, told a story about her mother, who once commented that only websites that display cookie banners actually use cookies. Which is, of course, not the case. All websites use cookies.
Five: Companies need to be careful about the language they use in a cookie banner and the choices they offer. If a website gives someone the opportunity to opt out of all cookie tracking, for example, then that site is on the hook to honor the opt-out, even though it wasn’t legally required to ask.
“If someone clicks your opt-out and leaves your site with the impression that they’ve successfully been opted out of cookies and they haven’t been,” Lee said, “I think there’s even some risk of deception there.”
Well then. 🤯
Speaking of consent, I’d like to say thanks for opting in to receive this newsletter. Let me know what you think of it! Drop me a line at allison@adexchanger.com.
