Cookie pains

In 2020 Cookie Management should not be a hot topic. Unfortunately, going around, you can still see important firms doing messy things. Let’s see an example with some humour.

Some days ago, the Italian Privacy Authority launched a public consultation on updates to Cookie Laws. Personally, I thought that cookie law is not a theme in 2020: breaking cookie law is not simple, the only thing you have to do is to ask permission to the user before creating cookies (then you should differentiate technical cookies from profiling cookies, bla bla bla).

What are cookies? They are small pieces of informations stored by your browser in order to do a lot of things (remember your language, options you have chosen, and, obviously track your behaviour while you are navigating the website). To see them, you can press F12 on most browsers look at “Application” from the top menu and you will find the cookie list:

If you get caught creating cookies without permission, you’ll get a fine under GDPR. Don’t get me wrong: if you are a small business, and don’t have time to manage your website, something can get misplaced or deactivated and a cookie may be created when you do not want. But if you are a big company that is not acceptable (and your fine could be amazingly big).

Let’s look at the website of a gov-owned company (gov is big by definition): I can tell their story, once upon a time they had a static, unresponsive, self-produced website, but at a certain point they asked to a well-known agency to change their image (new name, new logo, new corporate colours, all the marketing things to look younger, smarter, cooler, etc.) and then they outsourced the website.

Since this is a true example I obviously had to cover everything that can identify the company, but looking to the website I ensure you that, by a marketing point of view, they did a good job. Let’s see:

Created with GIMP

After a couple of seconds, the homepage is obscured by a blue page asking you permission about cookies, and tells you that if you continue on the website you accept all the legal things and so on. Apparently, everything is ok: you cannot even see the website without giving consent to cookies:

Created with GIMP

Let’s press F12, and let’s see if everything is ok:

Created with GIMP

Uh oh… We have some _ga and _gid items: Google Analytics cookies are tracking us, and they are doing that before we gave consent to cookie creation. No good.
What happened here? The company did a DPIA, has a DPO, has a privacy policy, has a “registro dei trattamenti” (a document where any data treatment process is listed and given an appropriate owner): papers are perfect, internal people are responsible for writing contents, but no technical audit has been performed on the outsourced website (to tell you the truth, it is about a year that I use their website as an example of how things can go wrong; somebody should tell them, but I don’t like to have to accept their legal terms to do that). The problem here is (likely) that the code that creates the cookies is executed before the cookie consent page visualization code; put the code in the right place and everything will be fine. You can do that by hand, or, if you are using WordPress, the cookie banner plugin will have a specific field to put the Google Analytics code into. If you do that the right way, you won’t see Google Analytics _ga and _gid cookies before having given your consent (some websites will reload the page to create cookies as soon as you give consent, others will create them when you get into an internal page).

If you say no (and you should always have the opportunity to say no) no tracking cookies will be created (example of denied consent from my website):

What’s the lesson here? In Italy GDPR things are perceived as a legal issue, usually treated by legal people. Some of them acquired sufficient technical knowledge to manage things, some others did not: in that case you need tech people to assess tech things (and data protection is a tech thing, at least often).

And ah, yes, my website creates a cookie to store the fact you did not give consent to cookies… I should write that 😀 😀 😀