The State of


GDPR Consent
Overview and scoring of how websites

have adapted to data privacy regulations

2019

Presented by
 GDPR vs the status quo
We are in the middle of a battle between two competing
philosophies of how personal data should be handled on the
internet.

On one side is a group of businesses that sell targeted advertising based

on an opaque system of personal data collection, most often without
the direct and informed consent of those being tracked. Internet users
like the free products and services enabled by such data collection but if
asked directly about it, they usually respond that they’d prefer not to be
tracked across the internet.

On the other side is the General Data Protection Regulation (GDPR) and
like-minded data privacy advocates. They endorse a system where
internet users decide on collection of their data only after seeing an
explanation, in plain language, of how their data will be used. However,
this ask-first-collect-later approach reduces the amount of data
businesses have at their disposition, putting in doubt the profitability of
some free products and services.

GDPR has been in force since May, but what has really changed? This
report tries to answer part of that question by examining how
organizations in the EU and North America are collecting and using
data consents for EU internet users.

The tech and advertising companies that have a stake in keeping the
status quo won’t change without more of a fight. But how are other
websites reacting so far? If consent mechanisms are in place, do they
work according to the GDPR philosophy? Or have organizations opted
for a hybrid approach?

Read on to find out!

12
 GDPR consent
Consent is one of many bases for data processing. We’re
focusing on it exclusively because it’s simple to evaluate in
practice. Most website owners want to use personal data in the
form of persistent tracking cookies. Under the GDPR, they
should ask for consent.

What does the GDPR say about consent?

Consent of the data subject means any freely given, specific, informed
and unambiguous indication of the data subject’s wishes by which he
or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her.

Want more information about all aspects of the GDPR?


This article is a good place to start

The most important points about consent

Freely given - Real choice and control of data

Specific - Granularity in data requests

Informed - Prominent & easy to understand requests

Unambiguous - Clear, deliberate action to consent

NO legal and technical jargon


NO passive cookie banners (continue to accept)

NO bundling with non-negotiable terms of use

NO broad consent for all current and future purposes

3
2
 Methodology and scoring
We checked 25 websites from 8 countries, selecting 5 large and
visible organizations from 5 different sectors.

Sectors: banking, insurance, e-commerce, media, government

and education

Countries: UK, France, Spain, Belgium, Germany, Poland, USA,
Canada

We scored the websites based on two main criteria: consent

mechanism quality and clarity and availability of information.
The higher the score, the closer to the GDPR ideal.

The score is not intended as a compliance evaluation.

Maximum score +2

+10
Clear choice about data collection

+2 No consent means no tracking cookies

+2 Clear, concise description of data policies

+1 Specific data purposes described individually

+1 Can accept or reject each data purpose

+1 Clear mention of data subject requests

+1 Easy to make data subject requests

Minimum score -2

-5
Third-party cookies placed without consent

-1 Preloading of possible tracking cookies

-1 Dark UX e.g. preticked boxes or broken buttons

-1 Hidden or hard to find privacy policy

4
 Scores for all 200 websites

(each vertical line is a score for one website)

10
European Union
North America
8

-2

-4

Averages

Spain 2.32 All countries

France 2.20 1.34

United Kingdom 2.20

Belgium 1.72 European Union

Germany 2.52 1.57

Poland 0.88

United States -0.76 North America

Canada -0.36 -0.56

-1 0 1 2 3 4

5
 Sector averages
(for the EU only*)

Insurance

Banking 2.10
in Germany
Insurance 1.87
4.8
Media 2.47
Government & Education

E-commerce 1.73
in Belgium
Government & Education 1.70
-1.2
0 1 2 3 4

*The relevance of the GDPR to some of these industries in North America is unclear. Does a US bank operating only in
the US have to comply with the GDPR when an EU citizen visits the site? We don't know yet how the regulation will be
enforced. For this reason we decided not to include American and Canadian websites in the sector average results, as
they would serve to, maybe wrongly, depress the scores of some industries more than others.

87%
of websites clearly mentioned
36%
of websites offered a
clear choice about
data subject requests data collection

74% of websites placed third-party

cookies without consent
Only
5%
86%
of websites deleted
of websites preloaded
possible tracking cookies tracking cookies after
consent refusal

6
 High scorers 5% of websites

surveyed

10 The philosophy behind GDPR is easy to see in their approach

• Always offer a clear choice, though sometimes with

prechecked boxes
to
• Clear and easy to find privacy policy

6
• No third party cookies without consent
• Clear way to exercise data subject rights

In the middle 48% of websites


surveyed

5 A little from column A, a little from column B

• Only sometimes offer a clear choice

• Almost always mention data subject rights
to
• Often preload first- and third-party cookies

2 • Declining consent rarely eliminates all first- and third-

party tracking cookies

Low scorers 47% of websites


surveyed

1 Showed some effort, but hard to see the GDPR spirit

• Almost always mention data subject rights

• Almost never offer any kind of choice
to
• Almost always load third-party cookies

-5 • Sometimes have unclear or hard to find privacy policies

7
 Trends worth noting
Towards GDPR
Clear-headed description of choices

Many took the spirit of GDPR to heart and tried to describe in very clear
and direct terms how their websites worked, even if other parts of their
website didn’t show that same spirit. For example:

“We send information to third parties so that they can

display ads to you across the web”

“If you disable cookies, you won’t be able to comment on

articles or view flickr galleries”

Nicely designed consent popups

Where a choice was available, the popups or chat box style menus were
usually clear and easy to use. There were also many varieties,
indicating that there is a healthy market developing around displaying
and gathering data consents.

Running in the other direction

“It’s not our responsibility”

Many websites featured links on how to disable third-party cookies via

an external website or information about how to adjust browser
settings. While intended to be helpful, the underlying message was
questionable:

“It’s not our responsibility to control cookies and tracking

on our own website.”

8
 Exaggerated importance of cookies and tracking
technologies

Some cookie and privacy policies imply that being tracked is an

inevitable consequence of using the internet with warnings like:

“If you disable cookies, our site will be unusable.”

Too much technical and legal jargon

Instead of stating in plain language what they want to do, i.e. “we
record your personal data for purposes x, y and z”, many websites
jumped right into the details. They contained long technical
explanations of cookies complete with the names of every cookie file
and the variables stored within. While the completeness is appreciated,
these organizations have forgotten that most people don’t understand
or care about such details.

9
 Expert analysis
We asked 4 internet data privacy experts what they thought
were the biggest events of 2018 and what to expect in 2019.

Dr Johnny Ryan FRHistS

Chief Policy & Industry Relations Officer at Brave

Dr Johnny Ryan FRHistS is Chief Policy &

Industry Relations Officer at Brave.

His previous roles include Head of Ecosystem at

PageFair, and Chief Innovation Officer of The Irish
Times. He has a PhD from the University of
Cambridge, and is a Fellow of the Royal Historical
Society.

Follow @johnnyryan

Every time you visit a website and see a “behavioral” ad, intimate
personal data about you, what you read online, and your device, is
broadcast to tens or hundreds of companies.

This broadcast, known as a “bid request”, solicits bids for the

opportunity to show you ads. This auction process is known as “real
time bidding” (RTB).

10
 But this broadcast is unlawful under the GDPR. Article 5 (1) f, says that
personal data be “protect[ed] against unauthorised or unlawful
processing and against accidental loss.” If one can’t protect the data, it
must not be used.

But billions of bid requests are broadcast each day. This is the most
massive data breach that internet users have ever suffered.

Few noticed what I think was an important privacy event in 2018: the
new RTB “3.0” specification was released in November. Despite serious
complaints before European regulators regarding bid requests, RTB 3.0
did nothing to fix the issue.

A reckoning is due. European data protection regulators

are now investigating.

In 2019, AdTech companies will be forced to change how they operate.

Though appeals may introduce some delay, RTB will ultimately switch
to bid requests that carry no personal data.

11
 Aurélie Pols
Privacy Engineer & founder of Competing on Privacy

Aurélie Pols pioneered Digital analytics in

Europe.

Used to following the money to optimize data

trails, she now follows data to minimize privacy
risks, touching upon ethical data uses. She leads
her own consultancy, serves as DPO for NY based
CDP mParticle, was part of the EDPS’ EAG and
serves on the board of European Center on Privacy
and Cybersecurity of the Maastricht University.

Follow @AureliePols

Crucial events in 2018:

• SCL Elections (the firm behind Cambridge Analytica) pleads guilty –
Cambridge Analytica CEO Alexander Nix pleading guilty was
unthinkable 2 years ago when Nigel Farage was bullying Guardian
reporter Carole Cadwalladr.
• Italy’s Competition Authority fines Facebook 10 million € – Economist
Joseph Stiglitz talked at the FTC, about updating antitrust laws.
Concerns about tech monopolies are growing and official action may
not be far off as hinted at by EU Commissioner for Competition
Margrethe Vestager.

12
 • Data privacy is bigger than data breaches and GDPR fines, it also
affects the future of how we work. The European Group on Ethics in
Science and New Technologies did a great job at describing a path
forward when it comes to AI taking over our jobs.

For 2019, I expect:

• ePrivacy to be decided upon but not enforced.
• More pan-European collaboration between supervisory authorities,
coordinated by the EDPB with the secretariat managed by the EDPS.
• More global collaboration on data privacy with increased isolation by
the US and an annulment of Privacy Shield.

We need to recognize that as our societies become increasingly

digitized, we have to do more than optimize single market actors. It will
take a (global) village to make sure the benefits of technology outweigh
its downsides.

Read Aurélie’s full opinion on her Linkedin profile.

13
 David Clarke
Founder of GDPR Technology Group and Cyber Security advisor

David Clarke is the Founder of GDPR

Technology Group with over 17100 members
and an internationally known GDPR and
Cyber Security advisor.

He is recognized as one of the top 10 influencers

by Thompson Reuter’s “Top 30 most influential
thought-leaders and thinkers on social media, in
risk management, compliance and regtech in the
UK” and is in the top 50 list of Global Experts by
Kingston Technology.

Follow @1DavidClarke

2018 was the GDPR’s year of codification. 2019 will certainly be the year
of its enforcement.

Since the GDPR has come into force, several high profile incidents have
been brought to the attention of regulators.

Nielsen had a class action suit brought against it by a shareholder

regarding GDPR readiness. Maternity advising firm Emma’s Diary was
fined last July by the ICO for allegedly illegally disclosing its databases
to political campaigns. The now infamous British Airways breach
resulted in the loss of personal details of 380,000 customers. Despite
timely reporting of the breach, the airline could be facing a negligence
fine under the GDPR, which would come out to £500 million.

14
 Also important to take into account is the rise in reporting of
complaints by the public. By August of last year, ICO had already seen a
doubling in complaints since the GDPR came into force – a trend
expected only to accelerate according to officials’ predictions.

Complaints to the ICO have produced, and continue to trigger,

investigations leading to fines.

For company managers and IT workers alike, it is well worthwhile to

carefully examine the new risks of non-compliance with data
regulation.

15
 Maciej Zawadziński
CEO of Piwik PRO and Clearcode

Maciej is an expert in analytics and

advertising technology and founder of
several successful companies.

He has led Clearcode to its position as a

leading software house building custom
advertising and marketing technology and in
2013 co-founded Piwik PRO, a GDPR-compliant
analytics platform. He advocates for better
data privacy rights as a supporting expert at
the Panoptykon Foundation.

Follow @zawadzinski

Most important events of 2018:

• Facebook and Google were taken to court with $8.8 billion in
lawsuits on day one of the GDPR. The lawsuits filed by Austrian
activist Max Schrems may yet prove that the American tech giants
aren’t exempt from serious punishment. What’s more, GDPR
enforcement actions started to trickle in towards the end of the year,
hinting that in 2019 we may see even more.
• The California Consumer Privacy Act (CCPA) was the first step
towards protecting user privacy in the US. It’s a sign that the GDPR
was more than just a bizarre EU fantasy. The CCPA isn’t nearly as
far-reaching as the GDPR, but it has symbolic importance, having
been created in the home state of Google and Facebook.

16
 Predictions for 2019:

• Huge crimes, little sins. Headlines about ever bigger data breaches
are becoming commonplace, but many smaller privacy violations
likely go unnoticed. Small- and medium-sized companies are aware
that data protection authorities don’t have any tools to scan the
whole internet for violations and they’re taking advantage of the
situation. This won’t change in 2019 but users can support an ethical
evolution by asking questions, enforcing their rights and making
more conscious choices.
• It’s likely that ePrivacy will be delayed again due to a turbulent
outlook for 2019. The chaos in the EU because of a possible economic
downturn, Brexit and other sensitive political dilemmas will cause
us to wait another year for the lex specialis to the GDPR.

17
 Report methodology notes
Members of the Piwik PRO team collected the data in December
of 2018 and January of 2019.

Website and country selection

For banking, insurance and e-commerce we chose the websites for the
5 largest brands by revenue in each country. Multinationals were
allowed but in the country where their main headquarters is located.
There were some exceptions to these rules but in general we selected
large companies with a significant local presence.

For media we selected by website traffic and circulation (if applicable).

The two together were intended as a rough measure of the outlets
influence. We ignored foreign ownership since most media outlets are
run by local staff even if the parent company is headquartered in
another country.

For government we selected symbolically important websites, most

often: the federal government, the two largest universities, the largest
city and the national healthcare system.

The intention was to survey websites for influential organizations that

were managed within the given country. This definitely does not match
the most popular websites, which mostly belong to large American tech
companies. Those sites have received a lot of attention for their privacy
policies and we didn’t think it was useful to redo those analyses.

We chose the countries to be representative of different European

regions. For each country a person with native speaker language
proficiency in a national language performed the survey.

18
 Neither the choice of countries or websites was meant to be wholly
representative of the EU or any given country or region. We intend this
as an introductory study to get a general idea for how local actors have
interpreted and reacted to the GDPR.

We’ve chosen not to mention individual websites because our intention

is not to criticize the bad or praise the good. We want to evaluate and
report trends that will help us and others understand what approach
those under the jurisdiction of the GDPR have taken to the new
regulation.

Scoring
Some of our scoring criteria deserve further explanation.

A “clear and concise description of data policies” is worth 2 points in our

scoring rubric. We gave 1 point for clarity if it was clear from the pop-up
or privacy policy text what the website was doing. The explanation
could be long and full of jargon, but it received 1 point for being clear
enough for us to understand. We gave 1 point for conciseness if
everything was clear in less than a full page of text.

We judged a privacy policy to be “hidden or hard to find” if: it took us

longer than 30 seconds to find; it was under a confusing name like
“Legal mentions” or “Terms of use”; or it was the at the bottom of an
infinite scroll page where the footer disappeared faster than we could
click.

We considered data subject requests “easy to make” if there was a link

to an online form or email address. A physical mailing address or vague
language such as “contact us” or “visit one of our stores” did not receive
a point.

19
 About Piwik PRO
AdTech and MarTech experts founded Piwik PRO in 2013 due to the lack of an analytics
stack that was both high performance and privacy-friendly. Our suite of products
marries privacy by design, flexible hosting and full data ownership with enterprise-
level features and support.

The Piwik PRO team consists of seasoned analytics experts and engineers who have
advised on and delivered a wide range of successful implementations. Acting as your
technology partner, we share our expertise, tailor our products and services to match
your particular goals, and support you from start to finish. We take enormous pride in
helping businesses and public sector organizations thrive!

Contact
NORTH AMERICA DACH BENELUX UNITED KINGDOM
222 Broadway
 Lina-Bommer-Weg 6
 Stationsplein 45
 15-17 Leeke Street

New York, NY 10038
 51149 Cologne 
 unit A4.004 
 London WC1X 9HY

USA Germany 3013 AK Rotterdam 
 United Kingdom
The Netherlands
+1 (888) 444 0049 +49 221 6430 7750 +31 858 881 458 +44 2033182881

FRANCE SPAIN EMEA

23, Avenue d’Italie
 IMDEA Software Institute 
 ul. Św. Antoniego 2/4 

75013 Paris
 Campus de Montegancedo
 50-073 Wrocław

France E-28223 Pozuelo de Alarcón 
 Poland
Madrid, Spain

+33 9 75 18 11 77 +31 858 881 458 +48 71 716 69 50

Web: 
 Email: 

https://piwik.pro sales@piwik.pro

20