Illustration by Tridib Das
Pop-up notifications are like internet gnats. Software updates, loud banner ads, unwanted thumbnail videos set to autoplay—they crowd your field of vision, you swat them away, and they eventually, inevitably, return. A pervasive nuisance, pop-ups have engendered a Pavlovian response in most web users, who reflexively click out of them without reading the accompanying text.
The trouble, which you surely saw coming, occurs when a notification isn’t just nagging or selling something, but informing users of their online privacy rights. That’s the job of cookie consent prompts, which blanket the web in the form of small footer bands or toolbars. These unassuming graphics typically come with a line or two of text, explaining that the website in question collects cookies—small pieces of data about a user’s browsing behavior—and why. The “why” varies. Most websites gather basic traffic analytics; plenty of others sell that data to third-party companies. Regardless, if you’re online, you see these notifications constantly. And you likely grant them consent, because that’s what those who surf the web are now primed to do.
Sage Cheng takes issue with the way cookie bars get designed. As a UX lead at the digital rights advocacy group Access Now, Cheng studies how design decisions enable people to make informed choices about their personal data—or not. “Any design choice—an opt-in box or a toggle to turn on and off a feature—will potentially impact millions of people’s data,” she says, pointing out that when designers make those choices, they do so based on information passed through a grapevine of stakeholders. Policymakers dictate needs to lawyers and companies, who then turn to developers, who work with designers to determine how these tools appear to users. If that sounds like any other design process, consider the business model driving it: “Companies are driven by a data-oriented business model, and they monetize personal data,” Cheng says. “They also tend to over-collect data with insufficient systems to protect it.”
That business model creates an incentive—acknowledged or not—to grease the wheels for users, making it easier to accept a cookie policy than to read the fine print. The simplest way to do that, judging by dozens of websites, is to highlight the “I accept” button and visually suggest the obvious path forward. Known as a dark pattern, this kind of nudge isn’t new: In 2010, UX designer Harry Brignull coined the phrase “dark pattern design” to describe interfaces designed that deliberately trick users. If you’ve ever had to hunt for an opt-out button for added fees, or promotional emails, you’ve likely encountered a dark pattern.
Cookie consent notifications began to decorate the web in large numbers in 2018, after the European Union passed the General Data Protection Regulation (GDPR) to create more transparency around how companies collect user data, enacting new rules for companies with readership or business in the EU. Companies collect data in several ways, from location tracking to shared IP addresses to linked social media profiles. Cookie notifications are simply the most visible instance of being made aware that it’s happening. While cookies and cookie consent prompts existed prior to 2018, the GDPR nudged this particular UI component into the spotlight, making it even more visible.
In essence, a cookie consent bar communicates a company’s privacy policy. “Legislators and designers are being asked to tackle the question of how to make it easier for users to understand what they’re consenting to,” says Soraya Okuda, a design lead at the Electronic Frontier Foundation. For many designers, this might read like a housekeeping issue: How do you follow the rules without creating a graphic roadblock to your website? “We’re seeing a lot of standardization around the design, and that comes with problems,” Okuda says. Over time, homogenized designs start to incur implicit meaning, making them easier to dismiss; Okuda compares them to user agreements that appear as a wall of text. People are simply unlikely to read all the way through, and then decline access to a coveted service.
And yet, there are exceptions. Some industries, like online banking, know that users need to access their services at any cost. Other industries can’t afford that luxury. “For the media, it’s very important to hold it and gain trust with users,” Cheng says, pointing to The Guardian’s cookie consent prompt, which fills the bottom third of a browser window, says “Your privacy” in bold letters, and guides users to a policy where they can manage consent. WIRED UK offers a similarly thorough cookie consent prompt.
“Philosophically, we believed the law was a good one,” says Nancy Levinson of the GDPR. Levinson is the executive editor of Places Journal, a scholarly urban design publication that uses a fullscreen cookies consent prompt. Head to placesjournal.org, and a white screen with a bright orange box greets you. “We use cookies to personalize your experience and analyze traffic,” it reads, before asking readers to accept or decline. (It’s worth noting that while the “accept” box is suggestively highlighted, the “decline” box is equal in size and alignment, and that’s often not the case.)
Kyle Larkin of Extra Small Design created the custom design for Places ahead of the GDPR going into effect. “Transparency was really at the forefront of making it clear how we use cookies,” Larkin says. Many websites collect cookies whether you consent or not, making the notification more of a courtesy. Places takes a more careful approach, and won’t turn on cookie collection until a user consents. “That’s why we have the full screen treatment in use,” Larkin says. “But there weren’t a ton of solutions out there, so we had to do legwork not just on the design side, but also on the technical side of what happens when you go to the site.”
As a consequence of giving users that choice, Levinson says that around one-fourth of all readers opt out of cookies, making it impossible for Places to track them in its Google Analytics traffic reports. Levinson adds that it’s a small price to pay for what they view as an ethical consent policy. “It’s part of the ecosystemic nature of the internet,” she says. “If we apply for funding from a foundation and they want to know our readership, we can say that because of a larger public interest in privacy, we can’t track all readers. That’s part of the larger cultural understanding that has got to be factored into a grantmaker deciding whether to support you.”
The rest of the internet might need some time to catch up. Earlier this year, Cornell University released a study on the GDPR, in which it found that only 11 percent of websites in the UK comply with the minimum requirements of the law. That’s not to say only 11 percent display cookie consent bars; it means not enough of them allow for what the GDPR calls “freely given, unambiguous” consent. It’s not for lack of resources: Groups like Simply Secure and MIT’s Let’s Talk Privacy all offer guidance on ethically translating policy into UI design.
“This is a space that’s still being explored,” says Okuda. Should cookie consent bars come with encoded actions or symbols? If everyone agrees to universal components, then what happens when a website deviates? That’s the discourse, Okuda says, among human-computer interactions specialists. For now, though, those questions remain speculative. “We’re not yet at the right place of public understanding around this issue.”