A Study of GDPR Consent Notices and Their Impact on Data Acquisition

Have you ever clicked on an interesting news link and before you even got a chance to start reading, the content was immediately covered by a giant consent banner with only one option - an Accept button? There was no option to just close it and get back to your reading, just that single button forcing you to accept their conditions. Is this legal? And why would any serious website do this to its readers? In this article, you will find out the answers to these questions and more.

Cookie Banners from a Scientific Point of View

A group of researchers from the University of Michigan and Ruhr-Universität Bochum in Germany had similar concerns as the ones mentioned above and decided to conduct a study entitled “(Un)informed Consent: Studying GDPR Consent Notices in the Field”. You can find the entire paper with the detailed results. 

The reasons behind these cookie banners are, of course, privacy laws meant to protect user data. This particular study focuses mainly on General Data Protection Regulation (GDPR), the European Data Privacy Law that came into effect in May 2018.

The study focused on 3 main points:

• Is a visitor’s decision-making influenced by the position of a cookie banner on a webpage?
• Does the number of choices or pre-filled checkboxes ("nudging") affect the visitor’s consent?
• Does the presence of a privacy policy link or the terms used in the text influence the visitor’s decision? 

And for these, 3 different experiments were conducted on more than 80,000 unique website visitors. The study took place on a popular German website between November 2018 and March 2019. 
 

Experiment 1: The position of the cookie banner

Does the placement of a cookie consent banner affect our decision to accept or reject them? According to this study, it very much does. User experience on a website is important, and of course, people’s attention is more likely to be drawn to certain parts of the screen. If a cookie banner is placed in the right spot it has a higher chance of being accepted. 

The study took into consideration both desktop and mobile displays, so here’s what you need to consider when creating or redesigning your website:

• a consent notice placed in the bottom-left of the screen will get the most interaction (both declines and acceptances) with acceptance rates between 18 and 26%;
• a banner positioned bottom-right will provide the highest acceptance rate, with about 34% on desktop and 3.4% on mobile;
• the lowest interaction is associated with a banner placed at the top of the screen, from one end to the other;
• website visitors are more likely to interact with a cookie banner on a desktop display than on a mobile one.

Both on desktop and mobile, the consent banner placed in the bottom-left corner received the most attention from visitors. So, to get more accurate results, the researchers decided that for Experiments 2 and 3 the banners should be placed in the bottom-left corner.

Experiment 2: The number of choices and the way they are presented to you

Which of the following are people most likely to consent to? Are more options better than a single one?
 

The researchers tested out multiple variations of the cookie banners (cited directly from the study):

• “No option (Figure 1 (b)): In line with many notices we observed, we added an ‘X’ in the top-right corner to dismiss the banner. There is no nudging variant because the notice does not offer any choice.
• Confirmation–Non-nudging (Figure 1 (c)): This notice has an “Accept” button which is not highlighted.
• Confirmation–Nudging: Same as the Confirmation–Nonnudging notice, but the “Accept” button is highlighted (like the “Accept” button in Figure 1 (a) (aa)).
• Binary–Non-nudging (Figure 1 (a) (bb)): The “Accept” and “Decline” buttons are formatted the same way, neither is emphasized.
• Binary–Nudging (Figure 1 (a) (aa)): Same as Binary–Nonnudging but only the “Accept” button is highlighted in a contrasting color.
• Categories–Non-nudging: Same as notice (d) in Figure 1, but with unchecked checkboxes. The “Necessary” category cannot be unchecked, as is common practice.
• Categories–Nudging (Figure 1(d)): Same as Categories–Non-nudging but with pre-checked checkboxes for all categories.
• Vendors–Non-nudging (Figure 1(e)): Similar to the categories variant, but the checkboxes correspond to the third-party services used by our partner website.
• Vendors–Nudging: Same as Vendors–Non-nudging but with pre-selected checkboxes.”
   

The outcome of this experiment was diverse in terms of consent choices. More visitors accepted cookies in both binary conditions, where they had the option to decline
cookies, rather than in the non-nudging confirmation condition, where they could only accept cookies or not interact with the notice. In comparison to Experiment 1, the total percentage of people who interacted with the banner increased (from 13% to 55%), most notably on mobile devices. The highest interaction rate (55 %) occurred for the binary consent notice placed on mobile devices.

The study states: “Experiment 2’s results show that nudges and pre-selection had a high impact on users’ consent decisions. It also underlines that the GDPR’s data protection by default requirement, if properly enforced, could ensure that consent notices collect explicit consent. We further find that most visitors make binary decisions even when more choices are offered by agreeing to all or no options. Only very few visitors selected specific categories or vendors, while even in the non-nudging binary condition a considerable number accepted the use of cookies.”

Experiment 3: The wording used and the presence of a privacy policy link 

About 92% of the banners used for this research included a link to the website’s privacy policy, but only about a third of them mentioned the reason the data is being collected. The study showed that more visitors decline the use of cookies if a privacy policy is linked and that language-wise the use of the term “cookies” has only a minor influence on the consent behavior of users. This final experiment proves that the position of the banner and the number of choices (Experiment 1 and 2) have a much more noticeable effect on the rate of acceptance than the wording used or the addition of a privacy policy link.

Conclusion

Now that you know which cookie consent notices perform better than others, you are able to decide on your own what the best choice would be for your website. But keep in mind that if you use TWIPLA to track your website, no cookie banner is needed. Just make sure that you go to your account settings and choose IP anonymization and consentless tracking options.

Keep in mind that other third-party tools or plugins used on your website might still require you to have a consent banner in place, but if TWIPLA is the only third-party app on your site, you can rest assured that no annoying cookie banner is needed.

Use consent banners if you need them, but be aware that you might end up with less than 5% of the actual data when you do everything legally.
You can read more about how the cookieless tracking process works.

______

Source: "(Un)informed Consent: Studying GDPR Consent Notices in the Field".The authors of the paper are Christine Utz, Florian Schaub, Martin Degeling, Sascha Fahl, and Thorsten Holz.