Happy Birthday, GDPR

Four years ago today, the GDPR (General Data Protection Regulation) came into effect.

Depending on your perspective, it either marked the beginning of a new level of Cookie Consent Hell or the beginning of a new regime that forces organisations to consider how they can achieve their business objectives while minimising their use of data about us.

An aside: Where does cybersecurity come in to this?

In the run up to GDPR, I got involved in guiding businesses on what compliance looks like.

I didn’t grow up wanting to be a Data Protection Officer, but when talking to organisations about IT security, queries about data protection kept coming up.

If I had to explain how data protection and IT security relate:

– You can’t protect personal data without securing it.

– But securing it is only the start of your data protection obligations – After all, even if you are securing the data, you may not have any legal basis for having the data in the first place.

The Cookie Monster

While GDPR is about so much more than website cookies, cookies are one of most visible ways that data protection regulations impact the online world.

We all still encounter those annoying cookie banners, encouraging us to allow the site to store numerous surveillance trackers (sorry, I mean cookies) on our devices so our online activity can be tracked and data about our activity can be sold to the highest bidder.

It’s called Cookie Consent Hell for a reason.

Cookie Deep Dive

If you want to see how cookies are still a thing, take a look at the cookies listed on the website of any prominent and GDPR-compliant business.

I’ve picked the website of Formula 1, because this site is very transparent about the cookies that it wants to store and this transparency is very revealing.

Required Cookies

First up, let’s look at their required cookies.

Required cookies are unavoidable – The site owner is saying that it is technically impossible for the site to operate without these cookies, so you have no choice in the matter.

This list should be restricted to cookies that are absolutely necessary to ensure the site actually works.

On F1.com today, there are cookies relating to more than 10 organisations included in their required cookies list, including Google.

Formula1.com Required Cookies List

Figure 1: Required Cookies List 

Optional Cookies

Next, let’s look at the optional cookies. These ones only get stored if you click the most convenient ‘Accept All‘ option on the cookie popup.

In total, there are more than 100 cookies stored by this particular site. (I have provided screenshots of the full list at the end of this article. Be prepared to scroll!)

If this is common practice across all of the websites that you visit, this means more than 100 different legal entities will get to see the sites you are visiting online.

If you want to understand why they would care, you should look into the complex world of Real Time Bidding, described as requiring the “collection, accumulation and dissemination of data about users and their activities for both operating the bidding process [and] profiling users to enrich bid requests“.

So what?

Putting aside the data protection implications of such a long list of cookies, any site that stores cookies from over 100 third party services feels like a site that has no issue with facilitating extensive online tracking of its visitors.

Either that, or it is simply an over-engineered site.

Some cynics may say that reflects the sport itself, but as a fan of Formula 1, you don’t want to drag me into that rabbit hole!


The list of optional cookies

For the record, this is the list of cookies listed under the Functional, Advertising, Purposes and Partners categories of the cookie consent banner on Formula1.com this week.

Click on each thumbnail to see the details in each of the 30+ screenshots.