Confusion around GDPR has led many website owners to make the decision to wait and see how other websites tackle it before committing to their own solution. User consent is an area of particular concern for many websites, with a myriad of approaches and solutions being used around the web. Hoping to find some form of consensus on how to approach consent, we looked at how some of the world’s busiest websites are approaching it. Visiting the top 5 websites in fifteen difference categories, we looked at how each presented cookie/privacy information to a user inside the European Economic Area.

How many sites notify about cookies / privacy?

The first test was simply whether any form of privacy or cookie information was presented to the user. It was noted whether each site requested active consent (such as clicking of an “agree” button, or setting preferences), provided some sort of notice beyond a discrete privacy link (such as a pop-up message or interstitial), or did neither of these things. Over 37% of the tested sites did neither.

Of the 75 sites tested:

28 presented no notice regarding cookies, privacy or personalised ads

26 showed a notice (such as a pop-up alert)

21 requested some form of user interaction to provide consent

What active consent mechanism was used?

Test two was to look at what method was used to collect consent when some form of active consent was sought. Over half of the sites tested opted for granular controls that allowed the user to either select what Cookies were used, or what purposes cookies could be used for.

Of the 21 sites that presented some form of opt-in:

7 were Opt-in only : A notice was presented with a means to provide consent (such as an “I agree” button). No on-site means offered to refuse consent or otherwise adjust cookie usage.

: A notice was presented with a means to provide consent (such as an “I agree” button). No on-site means offered to refuse consent or otherwise adjust cookie usage. 1 was Opt-in / Opt-out : A notice was presented with a means to provide consent (such as an “Agree” button) and a means to decline it (such as a “Disagree” button).

: A notice was presented with a means to provide consent (such as an “Agree” button) and a means to decline it (such as a “Disagree” button). 11 offered granular controls over cookie usage : A means was provided to consent to decline the use of either particular cookies or particular uses of cookies.

: A means was provided to consent to decline the use of either particular cookies or particular uses of cookies. 2 took a different approach (see below)

Foxnews.com showed no privacy or cookie notice, but prevented personalised ads serving to EEA users by simply blocking all ads to users in that region. Content still served normally, but without ads showing.

Indiatimes.com Simply blocked all users in the EEA from accessing the site, instead showing a notice explaining that they are currently not allowing users in Europe to access the site.

What the sites served whilst awaiting consent

Sites load before consent is given, and there are differences in what content is served whilst waiting for consent. 37.5% of the sites that serve ads didn’t do so until consent was sought. Almost half of sites blocked all content/interaction until preferences had been set.

Of the 21 sites that required active consent:

10 blocked content until the user had expressed their preferences

5 were sites that didn’t show ads

6 blocked ads until preferences were set

10 served some sort of ad before preferences were expressed

Conclusions

Even amongst some of the busiest sites on the web there is still little consensus on either when consent should be sought or what form that consent should take. Solutions range from the costly and conservative to making no outwardly obvious efforts towards compliance. Even amongst top sites, over a third have no apparent means to gain consent. Whether that is due to taking the position that none is required or not yet having a solution in place is not yet clear.

Methodology

We looked at the top 5 websites in each of Alexa’s top level categories, skipping any domain that appeared in an earlier category. Each was viewed on desktop and mobile in an incognito browser window from two different UK IP addresses. We only looked at consent gathering, not the less clear topic of whether consent was necessary. No testing was done as to whether withdrawing consent had any actual impact on Cookie use. No testing was done on site in the adult category. Analysis was performed on June 6th 2018. Please note that our experience at time of testing may not reflect the experience of others. No opinion is offered regarding the compliance status of any of the websites tested.

Consent methods were classified as follows:

None : No notice regarding cookie or advertising consent was seen.

No notice regarding cookie or advertising consent was seen. Notice only : Some form of notice was presented regarding Cookies/Privacy. This was information only with not means presented to affect cookie use.

: Some form of notice was presented regarding Cookies/Privacy. This was information only with not means presented to affect cookie use. Opt-in only : A notice was presented with a means to provide consent (such as an “I agree” button). No on-site means offered to refuse consent or otherwise adjust cookie usage.

: A notice was presented with a means to provide consent (such as an “I agree” button). No on-site means offered to refuse consent or otherwise adjust cookie usage. Opt-in / Opt out : A notice was presented with a means to provide consent (such as an “Agree” button) and a means to decline it (such as a “Disagree” button).

: A notice was presented with a means to provide consent (such as an “Agree” button) and a means to decline it (such as a “Disagree” button). Granular controls : A means was provided to consent to decline the use of either particular cookies or particular uses of cookies.

Raw data

Category / Domain Notice type Content serving Ad serving ENTERTAINMENT youtube.com Notice only Serve immediately Serve immediately imdb.com None Serve immediately Serve immediately bbc.co.uk Granular controls Serve immediately Doesn’t run ads cnn.com Opt in only Serve immediately Serve immediately espn.com Opt in only Serve immediately Serve immediately BUSINESS office.com Notice only Serve immediately Doesn’t run ads paypal.com Granular controls Serve immediately Doesn’t run ads chase.com None Serve immediately Doesn’t run ads indeed.com Notice only Serve immediately Serve immediately alibaba.com None Serve immediately Serve immediately COMPUTERS google.com Notice only Serve immediately Serve immediately facebook.com Granular controls Block until preference known Block until preference known yahoo.com Granular controls Block until preference known Block until preference known wikipedia.org None Block until preference known Doesn’t run ads twitter.com Notice only Serve immediately Block until preference known GAMES twitch.tv Notice only Serve immediately Serve immediately roblox.com None Serve immediately Doesn’t run ads steampowered.com None Serve immediately Doesn’t run ads gamespot.com Granular controls Serve immediately Serve immediately ign.com Granular controls Block until preference known Serve immediately HEALTH nih.gov None Serve immediately Doesn’t run ads webmd.com Opt in only Block until preference known Doesn’t run ads myfitnesspal.com None Serve immediately Serve immediately mayoclinic.org None Serve immediately Serve immediately psychologytoday.com None Serve immediately Serve immediately HOME yelp.com Notice only Serve immediately Serve immediately theverge.com Opt in only Serve immediately Block until preference known gizmodo.com Granular controls Block until preference known Serve immediately gsmarena.com Notice only Serve immediately Serve immediately cnbc.com Notice only Block until preference known Block until preference known KIDS AND TEENS epicgames.com Notice only Serve immediately Doesn’t run ads reverso.net Notice only Serve immediately Serve immediately thesaurus.com Notice only Serve immediately Serve immediately weebly.com Notice only Serve immediately Doesn’t run ads battle.net Notice only Serve immediately Doesn’t run ads NEWS reddit.com Opt in only Serve immediately Serve immediately nytimes.com Opt in only Serve immediately Serve immediately theguardian.com Opt in / out Serve immediately Serve immediately indiatimes.com Other Block until preference known Block until preference known foxnews.com Other Serve immediately Not to EEA users RECREATION booking.com Notice only Serve immediately Doesn’t run ads tripadvisor.com None Serve immediately Serve immediately 9gag.com Granular controls Block until preference known Doesn’t run ads expedia.com None Serve immediately Serve immediately hotels.com Notice only Serve immediately Doesn’t run ads REFERENCE stackoverflow.com Notice only Serve immediately Serve immediately archive.org None Serve immediately Doesn’t run ads worldreference.com None Block until preference known Block until preference known goodreads.com None Block until preference known Block until preference known blackboard.com None Serve immediately Doesn’t run ads REGIONAL Amazon.com None Serve immediately Serve immediately Google.co.in Notice only Serve immediately Serve immediately Googe.co.uk Notice only Serve immediately Serve immediately microsoft.com Notice only Serve immediately Doesn’t run ads amazon.co.jp None Serve immediately Serve immediately SCIENCE researchgate.net Notice only Serve immediately Doesn’t run ads coinmarketcap.com Notice only Serve immediately Serve immediately sciencedirect.com None Serve immediately Doesn’t run ads urbandictionary.com None Serve immediately Serve immediately ieee.org Notice only Serve immediately Doesn’t run ads SHOPPING netflix.com None Serve immediately Doesn’t run ads ebay.com None Serve immediately Serve immediately amazon.co.uk None Serve immediately Serve immediately walmart.com None Serve immediately Doesn’t run ads etsy.com Granular controls Block until preference known Doesn’t run ads SOCIETY siteadvisor.com None Serve immediately Doesn’t run ads patreon.com None Serve immediately Doesn’t run ads state.gov None Serve immediately Doesn’t run ads jw.org Notice only Serve immediately Doesn’t run ads europa.eu None Serve immediately Doesn’t run ads SPORTS cricbuzz.com Notice only Serve immediately Serve immediately nba.com Granular controls Block until preference known Serve immediately espncricinfo.com Opt in only Serve immediately Serve immediately bleacherreport.com Notice only Serve immediately Serve immediately goal.com Granular controls Block until preference known Block until preference known

If you need some help understanding GDPR consent, we have a free download explaining EU user consent for publishers websites.