Based on a list of known marketing and analytics cookies, Sweepatic now detects tracking cookies that are set without any user consent. Setting certain tracking cookies without user consent can be a violation of the EU GDPR regulation. Local privacy authorities are handing out fines for violations.
Why do cookie consent popups exist?
Everyone knows the cookie consent popups that haunt us on many websites. They are the result of privacy laws that came out of the to the GDPR privacy regulation. For now they remain a necessary evil until a better solution is implemented.
The cookie consent idea is simple. For privacy reasons, all cookies that take part in following the user’s activity for marketing, tracking or analytic purposes can only be used when the user gives an explicit consent.
What can a cookie consent violation cost in fines?
Apart from the privacy issues, cookie consent violations are resulting in fines for big and small organizations across Europe and beyond. Several sources report fines being given for websites that violate the cookie consent law.
- December 2019 – The Belgian DPA has imposed a fine of €15,000 on a website specialized in legal news for their non-compliant cookie management and privacy policy.
- December 2020 – France fines Google $120M and Amazon $42M for dropping tracking cookies without consent.
- July 2021 – French publisher Le Figaro has been fined €50,000 by the country’s data protection authority after its website was discovered to be installing third-party advertising cookies without the users’ consent.
- January 2022: France again fines Google and Facebook for €210M for their use of cookies.
Properly implementing cookie consent is hard
Based on our scans however, we concluded that correctly implementing a properly working cookie consent mechanism is hard. While website might be correctly working today, they might be in violation tomorrow due to changes or updates. We noticed that the following issues are very common:
- Consent popups are just for show: The tracking cookies are set anyway before the user confirms anything.
- Not all tracking cookies are part of the consent mechanisms: The website has a working consent popup that only enables tracking cookies after the user has consented. However some tracking cookies are always set without any consent, like for example Google Analytics.
- No consent mechanism is present: The user doesn’t have any option to consent for cookies, while tracking cookies are used.
How Sweepatic helps organizations to comply with cookie consent laws
Sweepatic automatically discovers all internet-connected known and unknown assets of organizations based on conforming an initial set of primary domains. For all exposed web applications, Sweepatic will automatically record the cookies that were set before any consent is given.
Based on an extensive list of known marketing and analytics cookies, Sweepatic detects tracking cookies that are set without any user consent. The users of the Sweepatic Attack Surface Management platform will be alerted when cookie consent violations are present so they can take action.
Curious to see your own attack surface and your compliance to the cookie law? Schedule your personalized demo with one of our Sweepatic experts, by clicking here. Feel free to subscribe to our newsletter to stay in the loop. We promise we won’t spam you.