Are Consent Banners Really Protecting Consumer Privacy?

Let’s start here: consent tools mean well. They emerged to meet the requirements of laws like GDPR in 2018 and CCPA in 2020. Now, with 19 state-specific and several sector-specific privacy laws passed, and a federal bill possibly on the horizon, the need for effective web privacy tools is growing. Each law has nuanced requirements (some mandate opting in to data collection, while others require the ability to opt out), but their shared goal is to provide consumers with more transparency and control over their data.

Cookie consent banners were designed to fulfill these requirements and comply with laws that require companies to obtain permission before sharing data with third parties. In just a few years, consent banner adoption has soared. Our recent research found that roughly 67 percent of U.S. companies now have a consent banner on their sites. This is a step in the right direction. But as these tools become checkboxes for compliance with accelerating privacy laws, are they really protecting as much as we think, or as much as regulators intended?

Our research of more than 5,000 U.S. websites suggests they’re not. The main issue is that websites constantly change. Technology and trackers on a site can be updated daily. Sometimes, website owners add new trackers; other times, changes happen without their control, like when a third-party plugin introduces new cookies or trackers. Consent banners don’t detect these changes in real time; they typically scan for new technology on a monthly or quarterly schedule, meaning it can be weeks before the banner reflects all the trackers on the site. Additionally, banners may be misconfigured from the start, preventing them from ever offering complete protection.

In fact, we found that more than 90 percent of consent banners aren’t functioning correctly, meaning they are serving cookies, tags, and trackers that are optional even after we selected “Reject All” or before the user had any interaction with the consent banner. People (and the companies that implement these banners) might reasonably expect that rejecting all cookies would prevent unauthorized data sharing, but that’s not the case. Here’s why:

1. Cookies load before the banner. Our research showed that, on average, 18 third-party cookies load on a web page before interacting with a consent banner. Consent tools are designed to block cookies before they load, not remove them once they're there. So if cookies load before the banner, they often remain even if the user selects “reject all.” It’s critical for those setting up consent banners to ensure the consent banner is configured to load before any other cookies.
2. Banners are missing on certain pages. Many pages were missing consent banners. This matters because users can come to the site on any page, not just the home page.
3. Information is outdated. As we mentioned, websites are constantly changing, with new technology added constantly. Consent banners typically do not continuously scan for new technology; they often update quarterly or monthly. This means tags can collect data for weeks or months without being reflected in the banner.

Besides these issues, there are other privacy concerns with these tools that visitors and companies might not realize:

• Missing data collection methods: Often, consent tools focus on cookies and miss other types of data collection technology. Data is also collected through pixels, session replay tools, and browser fingerprinting.
• Manual and subjective classification: Consent banners often let visitors customize preferences, allowing or rejecting certain cookie classifications like “Analytics,” “Advertising,” or “Performance.” But the way that cookies are classified into each category is done manually by the website owner. It’s a subjective process that can lead to misclassification of cookies, or unclassified cookies, which aren’t included in any category for acceptance or rejection.
• Missing “reject all” option: Some banners force visitors to accept all cookies to access the website.

For more insights into our research, download LOKKER’s Online Data Privacy Report.

So What’s the Big Deal?

At the end of the day it is always about stopping unauthorized data collection. As companies seek practical solutions in response to more privacy laws, it's crucial to (1) understand the limitations of existing tools like cookie consent; (2) call for better technology to truly protect visitors from unauthorized data collection in the first place; and (3) conduct real-time monitoring.

While these shortcomings and the resulting data sharing are likely unintentional, they can still be misleading to web visitors and the web owners who implement them. These tools require significant manual oversight to keep up with the dynamic nature of the web. Given this complexity, it may be challenging to configure existing tools to achieve complete data protection. Tools that detect and block new trackers in real time offer the best chance for precise accuracy.

Ian Cohen is founder and CEO of LOKKER, provider of solutions that empower companies to take control of their privacy obligations. Before founding LOKKER in 2021, Cohen served as CEO for Credit.com and CPO for Experian, where he focused on consumer-permissioned data.