What is the Cost of Online Consent?
Cookie banners/consent dialogs have become a hot topic. Most research studies focus on how dialogs are designed (e.g. the presence of dark patterns) or how those design choices impact how often users provide consent.
The question of what consent dialogs have cost society has received less attention. Most people would agree that they are annoying, but how annoying are they? Can we put a number on it?
A quick-back of the envelope calculation reveals a clear lower-bound in terms of time wasted. First, note that many websites out-source the design and management of consent dialogs to intermediaries known as CMPs. In February 2022, one such CMP, QuantCast, boasted of processing 25 billion consent signals. A field-study embedded QuantCast’s consent dialog on a real website and found that the median time to accept/reject is 3.2/3.6 seconds. Assuming users take the same amount of time on other websites, this means users have spent at least 2,500 years since 2018 expressing privacy preferences through Quantcast dialogs alone.
This represents a lower bound for two reasons. First, QuantCast have processed even more consent signals since February 2020. Second, QuantCast are just one intermediary among many. Initially QuantCast established market dominance:
But over time, other intermediaries gained market share:
If we scale the QuantCast figure across all dialog providers and until the present day, the amount of user time wasted filling out these dialogs is somewhere between 20,000 and 100,000 years.
In a Twitter thread this week, Alec Muffett went further by trying to put a monetary cost on time wasted. His approach focused on users rather than CMPs. He went for conservative estimates of: the number of individuals affected by the GDPR (445k), the percentage using the web per day (5%), popups per day per web user (10), time to dismiss a popup (3.2 seconds), and the minimum wage in Bulgaria/Luxembourg. Pulling these together, Alec estimates that a quarter of a billion euros is wasted per year.
So what can be done? One option is for browsers to express privacy preferences on behalf of users. For over 20 years, privacy advocates and AdTech firms have been arguing about how to automatically express privacy preferences. This resulted in proposals like the Platform for Privacy Preferences, Do Not Track and the Global Privacy Control. In fact, you can likely send one of these signals via the browser you are using to view this article. For example, the Chrome browser allows you to set a “Do Not Track” signal. Regulators could clarify how these signals should be interpreted. For example, a Do Not Track signal suggests the user does not consent to any unnecessary data processing, and that websites need not waste that user’s time by presenting a dialog.
Admittedly, this solution relies on AdTech actors respecting the privacy preferences expressed by users. Cynicism about this is well-founded. Why would AdTech change a habit of a life time, especially given regulators are so slow and inconsistent in enforcing data protection law. With this in mind, many people argue hard privacy protections that deny third-parties the possibility of tracking users are the only way forward. But at the very least, users should be spared from the Kafka-esque task of filling out the same consent dialogs over and over again.