Cookie popups actually suck

Those cookie consents aren't just annoying, they may be violating your privacy

Our research shows many consent managers may be tracking you without consent, subverting transparency, and may even be ignoring your privacy preferences.

Over the past several months, Disconnect conducted technical and policy reviews of some of the most popular Consent Management Providers (CMPs) and discovered pretty disturbing behavior, including the following:

• All of the CMPs we reviewed met our definition of tracking.
• Most, if not all, CMPs actively subvert user privacy by manipulating dialogs to obtain user “consent” to data collection by themselves and other known trackers, sometimes even hundreds of known trackers.
• The CMPs we reviewed appear to be collecting or in a position to collect user/device data, including IP address, as soon as the consent dialogue loads, prior to even asking for consent.
• At least one CMP appeared to opt users into data collection for various purposes, even when the user took the time to indicate they do not accept.

The consent management industry was born out of new regulations, most notably the GDPR, that sought to make it illegal for websites to enable user tracking without transparency and consent. For individual websites figuring out how to comply with these regulations, both on a technical and policy level, can be burdensome. Websites offload this burden onto CMPs, and as a result these companies and the consent popups they serve are a ubiquitous and often irritating part of our internet experience.

On the one hand, many CMPs cast themselves as privacy companies who serve an essential function of not only helping websites comply with laws, but enabling consent to "opt-in" data collection that allows websites to serve the targeted advertising that is their source of revenue. On the other hand, most of the CMPs we reviewed blatantly market their ability to increase "consent" rates, enable and enhance the tracking capabilities of not only the websites you visit but of large data brokers that rely on CMPs to gain consent to track you across the web.

Research

We conducted technical and policy research over the course of three months. Our findings are presented here in summary form and for three specific examples.

Summary findings

Privacy regulations have created increasing demand for CMPs and inundated the internet with consent popups that provide dubious value to users’ privacy. Disconnect’s Tracker Protection list includes hundreds of domains controlled by CMPs. Our recent detailed reviews focused on the following six CMPs that had domains we classified as trackers: Sourcepoint, OneTrust, TrustArc, UserCentrics (Cookiebot), Osano, and Didomi. These reviews, which included our own technical analysis, revealed several privacy issues and included analysis of each CMP’s marketing materials, policy documents, and consent dialogue flows.

• Most CMPs themselves are tracking or in a position to track user data when their dialogue loads on 3P webpages, prior to even asking users for consent.
• CMPs often include their own tracking pixels and tracker cookies in the “Essential”/“Strictly Necessary” category, so users are either not able to decline the CMPs’ own ability to track users, or the process of opting out is very difficult.
• For US users, default CMP trackers are often not disclosed. For EU users, you have to click around quite a bit in the consent dialogue to even discover the CMP is collecting your information and in some cases we found no disclosure.
• Even some of the most privacy-preserving CMPs we reviewed are openly touting their ability to track users and help publishers, websites, and other trackers collect more information about end users for the purposes of targeted advertisements, marketing, and analytics.
• Existing CMPs tout their ability to deliver “consented data” to other data brokers, but the reality is that the “consent” is often not freely given and the transparency illusory.

Specific findings

This report presents detailed reviews of three example CMPs: Didomi, OneTrust and Sourcepoint. Like the other CMPs we reviewed, by default these example CMPs collect identifying user/device data and promote themselves as helping publishers/website owners to utilize end user data to improve targeted advertising, marketing, and analytics. User choice and transparency is harmed, not helped, by consent dialogues obviously designed to gain user “consent” to allow tracking.

• Technical architecture enables data collection about every user that visits a site that integrates their CMP—no user interaction required and, in some cases, no popup or visual indicator alerts users that their data is being collected by the CMP on page load.
• Privacy policy and technical analysis reveals the ability to track at least IP address and http headers (which include browser/device fingerprint data), which can be further enriched by combining with other data sources like IP geolocation databases, IP registry to determine if user is accessing via work/mobile/home, and other databases that link IP addresses to device/user to internet activity.
• These CMPs explicitly promote their consent management services to enhance tracking for purposes of advertising, marketing, and analytics.

Technical, policy, and consent dialogue review

Didomi analysis

Technical review: https://privacy-center.org (owned by Didomi)

With no consent given, Didomi collects user/device data from clients with California USA IP address and French IP addresses. Data collected without consent includes at least the following: Device IP address, user agent, user ID, other identifiers and values with high entropy. Additionally, and more concerning, with no consent given (in the case of French IP address) and no interaction whatsoever (in the case of US IP address), Didomi appears to enable or assume consent for several data collection purposes including advertising and analytics.

Example 1. Website observed: https://www.orange.fr.

With US IP address, there are network requests sent to api.privacy-center.org/v1/events on a single page load with no user interaction that allow Didomi to collect Device IP address, user agent, user ID, other identifiers and values with high entropy.

With French IP address, Didomi serves javascript on page load and when user clicks “continue without accepting” on the consent dialogue (see below), Didomi collects Device IP address, user agent, user ID, other identifiers and values with high entropy.

Notable differences between Didomi data practices for users with California, USA IP, and Marcoussis, France IP:

• The request payload for the US version doesn’t have an “action” data field, presumably because no action was taken by the user prior to Didomi collecting data immediately on page load.

• The data field states the US “type” was “consent.asked” whereas the French “type” was “consent.given” despite the fact that user tapped “continue without accepting” (“Continuer sans accepter”).

• For French users who click “continue without accepting” (“Continuer sans accepter”), Didomi “enabled” the following: “selectbasicads”, “measureadperformance”, “measurecontentperformance”, “marketresearch”, “improveproducts”, “uselimiteddatatoselect_content”.

Example 2. Website observed: On https://www.avf-biomedical.com/

Didomi collects client data from clients with California USA IP address and French IP address. Data collected without consent, again, includes at least the following: Device IP address, user agent, user ID, other identifiers and values with high entropy.

• As compared to example 1, on avf-biomedical.com, if a user clicks “Continuer sans accepter” (on the screenshot just above) the user does not appear to be opted into specific data collection purposes as shown in comparison below. This may indicate that Didomi's data collection functions differently depending on the site integration. In any event, prior to any user interaction or consent, Didomi appears to collect at least the following data about French and US based users on both orange.fr and avf-biomedical.com: Device IP address, user agent, user ID, other identifiers and values with high entropy.

Marketing review: Didomi.io

Didomi’s own marketing material focuses on tracking to enhance advertising and analytics:

• “Leverage user choices for rich datasets and optimize marketing” https://www.didomi.io/usecase/marketing
• “Refine your advertising strategy on the go Didomi offers the most advanced consent analytics on the market, allowing you to proactively measure, monitor and improve consent rates directly in our platform.” https://www.didomi.io/usecase/programmatic
• “SPECIALISTS IN ADVERTISING AND MARKETING INTEGRATIONS Ramp up your marketing performance Didomi has direct relationships with all major Adtech and Martech vendors ensuring that our clients can leverage expert know-how and proven processes to build and validate our solutions and integrations with their teams.” https://www.didomi.io/usecase/integrations
• “Boost marketing performance with hyper-personalized experiences.” https://www.didomi.io/preference-management-platform
• “Our cross-device feature respects consent across different devices and environments, so users only need to provide their consent once.” https://www.didomi.io/consent-management-platform

Policy review: Didomi.io/privacy

Didomi’s privacy policy documents collection of end user data on websites not owned by Didomi:

• Privacy policy says it’s for “users of the website Didomi.io”, but then lists “End users of Didomi’s customers” under data subjects.
• “Data subjects” include “End users of Didomi’s customers”.
• “Categories of personal data collected” include the following “Identity data; Professional contact information; Business information; Login data; Social network data (Linkedin account URL); Language used for communications; Communication preferences; Customer interaction history; Customer ID; Other information voluntarily shared with Didomi; Consent choices; Timestamp.”

Consent dialogue review (observed on orange.fr/portail (redirect from orange.fr) August 21, 2024 with French IP)

• Cookie banner design on page load makes finding “Continuer sans accepter” (Continue without accepting) difficult as it’s outside of the main consent dialogue popup at the top with white text on a grey background. That option almost looks unrelated if not specifically looking for it. “Tout accepter” (Accept all) is in the main consent box and is a black box on a white background, making it very easy to see. Clicking “Continuer sans accepter” closes the dialogue.
• Popup states that Orange and their 278 partners may use cookies or equivalent, but there is no specific mention of Didomi data collection.

Consent popup on page load

• Didomi is not listed under “Tous les partenaires” (All Partners) list when accessed either by clicking “278 partenaires” on the first screen or “Voir nos partenaires” (See our partners) on the “Personnaliser vos choix” (Customize your choices) screen.

OneTrust analysis

Technical review: onetrust.com

Observed 3P requests from this domain with request URLs that at a minimum collect page visitors’ IP address, http headers (e.g., user agent), web page(s) URL, various high entropy potential identifier values.

Example 1. Website observed: https://www.medtronicdiabetes.com/

• There are 73 network requests with various IDs sent to *.onetrust.com on a single page load with no user interaction.

• Request Payload highlighted above for example 1 contains website domain and various identifiers.

Example 2. Website observed: https://www.flonase.com/

• There are network requests from *.onetrust.com with various IDs sent along with the website domain. Some of this data, like the webpage URL, is base64 encoded in a “requestinformation” property. This data is sent to *.onetrust.com on page load with no user interaction.

Marketing review: onetrust.com

OneTrust’s own marketing material focuses on tracking to enhance advertising and analytics:

• “OneTrust seamlessly complements marketing automation platforms by enhancing their ability to manage user consents and preferences across various channels like web, mobile, and Connected TV (CTV). This integration enables marketers to leverage consent-based segmentation and target their audiences more precisely, which is essential for both compliance with global privacy laws and the effectiveness of marketing campaigns. https://www.onetrust.com/blog/enhancing-marketing-automation-with-consent-data/
• “The benefits of combining a marketing automation platform with a consent and preferences solution include the following . . . Improved audience segmentation: Consent and preference data allows for more accurate audience segmentation in marketing automation, ensuring that campaigns reach the most receptive audiences.” Id.
• “Consent-based segmentation: Utilizing consent status to refine marketing automation strategies and campaign targeting – using preferences to deliver the right, custom experience for the user at every touchpoint, on every channel.” Id.
• “As the focus of mature privacy programs begins to shift from compliance to unlocking value, understanding how using personal data responsibly at all stages of the data lifecycle becomes a business imperative. In this blog series, we have explored the various stages that personal data goes through in the data lifecycle and how it is managed throughout to unlock business upside beyond sole compliance . . . Regardless of privacy program maturity, organizations increasingly rely on sharing personal data with third parties to drive revenue.” https://www.onetrust.com/blog/responsible-use-in-the-data-lifecycle-process-share-and-use/
• “Enable your team with greater data context. Get embedded intelligence across risk, regulations, personal consent, and data usage — both internally and for third parties” https://www.onetrust.com/
• “Uncover trends and program gaps with actionable recommendations, powered by cross-functional data centralization to enable dissectible trust analytics and industry benchmarking.” https://www.onetrust.com/platform/
• “Progressively profile users and enhance data profiles to deliver personalized content and build customer loyalty.” https://www.onetrust.com/products/consent-and-preference-management/
• “Continuously refine profiles, predict behavior for personalized experiences, and maintain comprehensive customer views across systems.” https://www.onetrust.com/solutions/preserve-and-enrich-your-first-party-data/
• Integrations with advertising companies, for example:
  • Acxiom: “We believe data is the key to creating meaningful interactions at scale between consumers and the brands they love.” https://www.onetrust.com/integrations/acxiom/
  • Campaign Monitor: “Together, OneTrust + Campaign Monitor will enable organizations to collect consent before deploying marketing campaigns.” https://www.onetrust.com/integrations/campaign-monitor/
  • Acoustic: https://www.onetrust.com/integrations/acoustic/
  • Braze: https://www.onetrust.com/integrations/braze/
  • Experian: https://www.onetrust.com/integrations/experian/
  • Intercom: https://www.onetrust.com/integrations/intercom/
  • Marketo: https://www.onetrust.com/integrations/marketo/
  • mParticle: https://www.onetrust.com/integrations/mparticle/

Policy review: onetrust.com/privacy-notice

OneTrust’s privacy notice/policy reveals tracking of end user data and references a data processing agreement, but no public data processing agreement was found:

• Did not find a public data processing agreement, which would cover data collection and retention of 3P integrations.
• “Please note that this Notice does not cover the handling of Personal Information when OneTrust or our Affiliates are processing Personal Information on behalf of our customers e.g., Personal Information submitted by individuals for processing through the platforms hosted by OneTrust or our Affiliates for the purposes of providing a service to our customers is not covered by this Notice. Our customers will typically act as Controllers for any Personal Information related to them or Personal Information that third parties upload to our applications in connection with the use of our services. OneTrust will typically act as a Processor in accordance with applicable Service and/or data processing agreements (“Agreement/s”). Further information, including specific obligations of the Controller and Processor, can be found in the Agreements.”
• “Usage information – we keep track of user activity in relation to the types of Services our customers and their users use, the configuration of their computers, and performance metrics related to their use of the Services.”
• “Log information – we log information about our customers and their users when they use one of our Services, including their IP addresses.”
• “Information collected by cookies and other tracking technologies – we use various technologies to collect information, including saving cookies to users’ computers.”
• “We may choose to buy or sell assets and may share and/or transfer customer information, including Personal Information, in connection with the evaluation of and entry into such transactions and based on our legitimate interests. Also, if we or our assets are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information may be one of the assets transferred to or acquired by the third party.”
• “If your Personal Information has been collected as (i) you interacted or used our Website, (ii) you registered and/or attended our Events, and/or (iii) part of the Services, your Personal information, as stored in our CRM service provider, may be enriched or updated to ensure it is accurate and up to date, and we achieve the purpose for which it was originally collected.”
• “We store your Personal Information for different time periods depending on the category of Personal Information and the nature of relationship that you have with us.”

Consent dialogue review (observed on McDonalds.com, August 1, 2024 with Netherlands IP)

• Cookie banner design makes “The cookie settings” button hard to see (white text on light yellow background, no outline around button), and makes the “Accepting cookies” easy to see (contrast black and white button and a check mark).

• Dialogues within “The Cookie Preference Center” state that necessary cookies are always active and “cannot be disabled in our systems”.
  • This is important because OneTrust is listed as dropping numerous “strictly necessary” cookies according to the McDonald’s cookie page. A user cannot opt out of “strictly necessary” cookies, which include OneTrust.

• “The Cookie Preference Center” leads with a “Your privacy” section designed to get users to allow all.
  • The language downplays the privacy harm and exaggerates the usability impact of not allowing collection.
• To exit the consent dialogue, there is no “Reject all” option, only an “All allow” option or “Save settings” which has effect of accepting default settings including “Strictly necessary cookies”.

Sourcepoint analysis

Technical review: privacy-mgmt.com

Observed 3P requests from this domain with request URLs that at a minimum collect page visitors’ IP address, http headers (e.g., user agent), web page(s) URL, various high entropy potential identifier values.

Example 1. Website observed: https://www.skyaccessibility.sky.

• There are network requests to *.privacy-mgmt.com with various IDs sent along with the website domain. This data is sent to Sourcepoint on page load with no user interaction.

Response payload

Request query parameters

Example 2. Website observed: https://disabledunited.com.

• There are network requests to *.privacy-mgmt.com with various IDs sent along with the website domain. This data is sent to Sourcepoint on page load with no user interaction.

Marketing review

Sourcepoint’s own marketing material focuses on enabling analytics and advertising:

• “Universal consent and preference management with unparalleled compliance insights and analytics.” https://sourcepoint.com/
• “Deploy fully customizable preference centers across all devices and channels to power personalized experiences for your customers.” https://sourcepoint.com/marketing-preferences/
• “Connect your marketing ecosystem via robust integrations with leading martech platforms for seamless orchestration that make marketing, product, and legal teams happy.” https://sourcepoint.com/marketing-preferences/
• “Instantly verify user identity.” https://sourcepoint.com/dsar/
• "Quality consumer privacy experiences . . . improve purchase intent . . . With Privacy Lens, we’re helping advertisers and publishers benefit from a shared commitment to consumer privacy.” https://sourcepoint.com/privacy-lens/
• “Privacy Lens allows brands to . . . optimize spend. Three of the top five US media agency holding companies have partnered with Sourcepoint to provide greater visibility into the quality of their media buys.” https://sourcepoint.com/press/privacy-lens-launch/
• “Link individual privacy preferences to user profiles.” https://sourcepoint.com/cmp/
• “Sourcepoint developed and iterated on a more flexible version of Consent or Pay that asks users to make choices on each specific data processing purpose in order to consent rather than subscribe. Select purposes, especially those crucial for monetization, can also be demarcated as required for consent.” https://sourcepoint.com/case-studies/how-heise-medien-delivered-flexible-consent-or-pay-cmp/

Policy review: https://sourcepoint.com/privacy-notice/

Sourcepoint’s privacy notice documents collection of end user data:

• “Service Dialogue Consent Management Platform Categories of personal data processed For the purpose of providing the consent management solution: IP address, Unique User ID, the cookie consent string and cookie settings of the individual end user concerning the relevant Customer Sites, information on the device, browser and operating system of the individual end user, and if provided by the Customer to Sourcepoint, an AuthID. Sourcepoint transfers the Unique User ID and cookie consent string to the cookie providers selected by Sourcepoint Customers.”
• “Dialogue Consent Management Platform Categories of personal data processed For the purpose of providing reports on the use of the consent management solution by the Customer on Customer Sites: Unique User ID, information on the Customer Site, region, device, browser, operating system, relevant time period for the reports (e.g. week, month or quarter) and aggregated statistical information on the use of the consent management solution (total number of page views, unique users, and views who received a message,  statistics on the individual end users’ consent decisions which may include * “Accept All”, “Legitimate interests only”, “Reject all”, “No choices made”, “Previous accept all”, and “Other choices”).”
• “Service Anti Adblock Categories of personal data processed IP address, Unique ID, the adblock status of the individual end user, and information on the device and browser of the individual end user.”

Consent dialogue review (observed on skyaccessibility.com, August 9, 2024 with Netherlands IP)

• Opening consent banner shows message saying 24 “trusted partners” need permission to track “personal data, and information on your browsing behaviour”. There are two subheadings of uses/purposes they need to get consent for which need to be expanded to see more information:
  • Two blue buttons both allow tracking from Sourcepoint.
  • No option to reject on initial dialogue, only “View options”.
  • Must hit drop downs to see details on types of personal data collected and personalized advertising.

• For a user to discover Sourcepoint is tracking them, they must click “View options” then scroll down to “Special Purposes” then click the “Essential Technology” drop down.
  • The dropdown states: “We have a need to use your data for this processing purpose that is required for us to deliver services to you” i.e., Sourcepoint tracking is presented to users as required for delivery of services.
  • No specific option to reject Sourcepoint, only to Reject All.
  • No disclosure of Sourcepoint tracking or purpose of tracking in SkyAccessibility cookie notice: https://www.sky.com/help/articles/privacy-hub-cookies.

• After a user has given consent it’s hard to find/get the cookie consent options to come back in order to change choices.