Illustration by Tridib Das
Pop-up notifications are like internet gnats. Software updates, loud banner ads, unwanted thumbnail videos set to autoplay—they crowd your field of vision, you swat them away, and they eventually, inevitably, return. A pervasive nuisance, pop-ups have engendered a Pavlovian response in most web users, who reflexively click out of them without reading the accompanying text.
The trouble, which you surely saw coming, occurs when a notification isn’t just nagging or selling something, but informing users of their online privacy rights. That’s the job of cookie consent prompts, which blanket the web in the form of small footer bands or toolbars. These unassuming graphics typically come with a line or two of text, explaining that the website in question collects cookies—small pieces of data about a user’s browsing behavior—and why. The “why” varies. Most websites gather basic traffic analytics; plenty of others sell that data to third-party companies. Regardless, if you’re online, you see these notifications constantly. And you likely grant them consent, because that’s what those who surf the web are now primed to do.
Sage Cheng takes issue with the way cookie bars get designed. As a UX lead at the digital rights advocacy group Access Now, Cheng studies how design decisions enable people to make informed choices about their personal data—or not. “Any design choice—an opt-in box or a toggle to turn on and off a feature—will potentially impact millions of people’s data,” she says, pointing out that when designers make those choices, they do so based on information passed through a grapevine of stakeholders. Policymakers dictate needs to lawyers and companies, who then turn to developers, who work with designers to determine how these tools appear to users. If that sounds like any other design process, consider the business model driving it: “Companies are driven by a data-oriented business model, and they monetize personal data,” Cheng says. “They also tend to over-collect data with insufficient systems to protect it.”
Cookie consent notifications began to decorate the web in large numbers in 2018, after the European Union passed the General Data Protection Regulation (GDPR) to create more transparency around how companies collect user data, enacting new rules for companies with readership or business in the EU. Companies collect data in several ways, from location tracking to shared IP addresses to linked social media profiles. Cookie notifications are simply the most visible instance of being made aware that it’s happening. While cookies and cookie consent prompts existed prior to 2018, the GDPR nudged this particular UI component into the spotlight, making it even more visible.
And yet, there are exceptions. Some industries, like online banking, know that users need to access their services at any cost. Other industries can’t afford that luxury. “For the media, it’s very important to hold it and gain trust with users,” Cheng says, pointing to The Guardian’s cookie consent prompt, which fills the bottom third of a browser window, says “Your privacy” in bold letters, and guides users to a policy where they can manage consent. WIRED UK offers a similarly thorough cookie consent prompt.
As a consequence of giving users that choice, Levinson says that around one-fourth of all readers opt out of cookies, making it impossible for Places to track them in its Google Analytics traffic reports. Levinson adds that it’s a small price to pay for what they view as an ethical consent policy. “It’s part of the ecosystemic nature of the internet,” she says. “If we apply for funding from a foundation and they want to know our readership, we can say that because of a larger public interest in privacy, we can’t track all readers. That’s part of the larger cultural understanding that has got to be factored into a grantmaker deciding whether to support you.”
The rest of the internet might need some time to catch up. Earlier this year, Cornell University released a study on the GDPR, in which it found that only 11 percent of websites in the UK comply with the minimum requirements of the law. That’s not to say only 11 percent display cookie consent bars; it means not enough of them allow for what the GDPR calls “freely given, unambiguous” consent. It’s not for lack of resources: Groups like Simply Secure and MIT’s Let’s Talk Privacy all offer guidance on ethically translating policy into UI design.
“This is a space that’s still being explored,” says Okuda. Should cookie consent bars come with encoded actions or symbols? If everyone agrees to universal components, then what happens when a website deviates? That’s the discourse, Okuda says, among human-computer interactions specialists. For now, though, those questions remain speculative. “We’re not yet at the right place of public understanding around this issue.”