Europe twists YouTube's arm to get better cookie consent popups

Alphabet's Google on Thursday said it has rolled out a new cookie consent banner for YouTube visitors in France and will soon deploy the popup for its online properties throughout Europe.

The reformulated cookie consent banner – more of screen-seizing overlay page than a slender banner – follows from discussions between the US goliath and European data protection authorities, particularly France's Commission Nationale de l’Informatique et des Libertés (CNIL), which has been grumbling about cookie compliance for at least the past seven years.

Cookies, or HTTP Cookies, are files used to store key-value data sets in a web user's browser for session management, personalization, and tracking.

It's the tracking aspect of cookies – particularly third-party cookies placed by entities other than the website being visited – that has made them problematic and has led lawmakers in the EU and elsewhere to regulate their usage. In Europe, the General Data Protection Regulation (GDPR) and the ePrivacy Directive impose consent requirements on websites using cookies.

Efforts to comply with these laws – whether motivated by disingenuous efforts to steer users to accept all cookies or genuine design incompetence – have led to cookie consent popups that annoyed users and spurred the development of technology to avoid the intrusive notices, such as browser extensions that block them.

"Overall, consent notices have become ubiquitous but most provide too few or too many options, leaving people with the impression that their choices are not meaningful and fueling the habit to click any interaction element that causes the notice to go away instead of actively engaging with it and making an informed choice," wrote researchers in a 2019 paper, "(Un)informed Consent: Studying GDPR Consent Notices in the Field."

Third-party cookies have become increasingly unwelcome in the web browsers made by Google's more privacy-conscious rivals over the past several years. Google, maker of the widely used Chrome browser, eventually responded by announcing plans to stop supporting third-party cookies next year, as it works to implement successor technology via its aspirationally named Privacy Sandbox project.

But third-party cookies still exist and have to be dealt with, so European data protection authorities expect Google to present visitors to its websites with the ability to choose how they would like their cookies served, or if they want them at all.

In a blog post, Sammit Adhya, Google product manager for privacy, safety, and security, said the Chocolate Factory has completed both a redesign of its cookie menu and associated infrastructure changes.

Google's new EU cookie consent notice ... Click to enlarge

"Soon, anyone visiting Search and YouTube in Europe while signed out or in Incognito Mode will see a new cookie consent choice," said Adhya. "This update, which began rolling out earlier this month on YouTube, will provide you with equal 'Reject all' and 'Accept all' buttons on the first screen in your preferred language."

While this falls short of the non-compulsory and thus widely ignored "Do Not Track" mechanism implemented in browsers to let web users declare a global preference in advance, Google's inclusion of a "Reject all" button that isn't undermined by a "dark pattern" design counts for something. It shows at least that privacy advocacy [PDF] and regulations banning manipulative interfaces have made an impression.

Still, Google has failed to go as far as GitHub, which in late 2020 stopped presenting any cookie notification banner because it abandoned non-essential cookies. That's not to say GitHub gave up collecting first-party data from its users, only that Microsoft's code-hosting biz no longer implements the sort of third-party trackers it would be obligated to disclose. ®