March 2019

2721 words

GDPR in Sweden: How Sweden's biggest websites are communicating compliance (and how your business should not!)

Note: this article was initially published on tedeh.ltd but was moved to this site in June, 2022.

In this article we will investigate ten of the largest websites in Sweden as a casual visitor. We will have the rights given by the EU General Data Protection Regulation (GDPR) in mind as we attempt to describe the manner in which the subject websites inform us of our rights, and the specifics around how it is done (pop-ups, buttons, links, terminology, etc.)

Finally we will give some recommendations on how businesses with an online presence can best communicate the rights granted under the GDPR to their European visitors and customers. These recommendations will have what is best and most clear for the user in mind, and will be supported by our findings.

This article will not attempt to issue specific legal advice on how a business can comply with the GDPR. This is highly dependent on specifics and usually requires individual consulting. We will merely look at how these rights are communicated and conveyed to a casual website visitor.

The GDPR directive was implemented all over the European Union on 25th May 2018. Its primary concern is data protection and user privacy. It applies to every business that is either located in the EEA (European Economic Area) or that has customers (or visitors) that are a citizens of any of these countries.

The primary function of the GDPR is to give a measure of control over personal data to visitors and users. To achieve this goal, a number of rights has been granted. In order to be compliant under the GDPR consent has to be given by the individual to the company to allow them to process their personal data. This consent needs to be freely given, and should be able to be revoked at any time. Non-compliance with GDPR comes with heavy fines.

In this article we are particularly interested in how consent is given (or assumed to be given) by the user to the websites that we have chosen to visit.

Subjects

These are the ten sites we will be looking at: Aftonbladet.se, Blocket.se, DN.se, Expressen.se, Flashback.org, Hemnet.se, Hitta.se, IDG.se, Prisjakt.nu and SVT.se.

Half of these sites belong to a parent publishing/media company. Aftonbladet.se, Prisjakt.nu, and Blocket.se are part of the Schibsted Media Group. Expressen.se and DN.se belong to Bonnier Group.

Findings

We found that all of the websites surveyed included information on usage of cookies and personal data in various ways and on various pages. This should be expected from any business since the GDPR took effect. However, they vary considerably when it comes to details as we will now see.

Every website visited included a specific interface for affirming consent. We have chosen to call this the Consent Dialog and it is the first and most prominent way a website communicates rights under the GDPR to the visitor. We managed to identify three different consent dialogs: Modal, Popper, and Ribbon. Here are actual examples of all three:

"Modal" consent dialog from IDG.se (always visible until closed)

"Popper" consent dialog from Aftonbladet.se (bottom of page, sticks there when scrolling down)

"Ribbon" consent dialog from Expressen.se (top of page, disappears above when scrolling down)

Each method provides a different level of urgency to the user. The “modal” consent dialog has the most urgency: the visiting user immediately has to deal with the modal if they want to see any of the other content at all. It is unlikely that any visitor fails to recognize and digest at least some of the content in a modal dialog.

The “ribbon” consent dialog on the other hand remains at the top of the page and disappears as the user scrolls down. It is not urgent in any sense of the word: the user can simply chose to ignore it, and its presence does not effect the user experience at all.

The “popper” consent dialog sticks with the browser window as the user scrolls. It always occupies a certain portion of the visitors display. It could be considered to lie somewhere in between the “modal” and the “ribbon” in urgency – a user might feel obligated to read and close it in order to free up a portion of the display so that they can see more content on the screen at the same time.

Dialog position

Some consent dialogs are more prominent than others. The Modal dialog is always visible, but the Popper and Ribbon dialogs can be placed differently. We are not going to go in to specifics of the actual design or shape of the consent dialogs, but just note that all sites (in some instances) had the consent dialog positioned so that it could be plainly seen when the page first loaded. In other words, it was not hidden from the user in any explicit way. In web design this position is called being above the fold and is an important property if you want to make sure that as many visitors as possible will see something. Conversely, not being seen on the first page load is dubbed being belove the fold.

A few of the websites however had a mode where on the first visit you would be shown a full page ad. The consent dialog was not present in a visible manner when this state appeared, and the user would have no idea about their rights until after clicking past the ad.

Full page ad from Aftonbladet.se (no consent dialog until you click past the ad)

Aftonbladet full page ad without consent dialog

Policy links

All of the websites visited included at least one link in the consent dialog to a page showing more information. All of these linked pages contained at information about integrity, privacy, reasons for processing of personal data and what data about visitors is stored. They also held information about cookies and what they are used for.

All websites had links to their appropriate policies in the consent dialog. After clicking past the consent dialog, the policy pages could still be reached from links in the page footers.

Terminology

The terminology used is interesting. None of the sites offered any “negative” alternatives to giving consent, instead relying on the user steering their browser somewhere else if the terms offered are not appealing or acceptable.

Three categories of “consent granting” terminology was observed.

Active approval: “I approve”
Passive approval: “I understand”, “OK, thank you!”, “OK, roger that!”
Ambiguous approval: “Close” (…the dialog)

Number #2 (passive) was the most widely used.

We also looked at the terminology used for policy links, but did not discover anything particularly interesting. They were all collected under names such as “Integrity”, “Personal Information Processing” and “About Cookies”.

Customization

A few of the surveyed websites offer customization of options related to privacy and cookies. Most did not. Another few provided links to youronlinechoices.com/se which is the site of an EU-based non-profit organization called EDAA. Here users can give or revoke individual or blanket consent to advertising networks. The settings are then stored as another cookie, and supposed to be respected by affiliated advertising networks when encountered.

Below is an example of a two-choice customization modal from IDG.se. The “Standard” option is visually prominent and selected by default. It grants the most rights to the website and its affiliates for tracking the user. The other option “Begränsad” (Limited) allows the user to opt-out of personalized ads, integration with social networks, personalized article recommendations and even “interactive graphics”.

Customization dialog from IDG.se (two modes available, "Limited" and "Standard")

Cookies

All of the websites visited saved cookies in the users’ browser immediately on first page load. At the outset of writing this article, we had a (possibly) naive idea that at least some of the sites would not save cookies at all until consent was affirmatively given by the user.

Cookies are not necessarily all bad from the users’ standpoint: one typically use is to store session information which tells if a user is logged in or not logged in. This sometimes makes cookies an essential part of a websites functionality. Certain other cookies can be used to identify a user personally. When that is possible, the cookie is considered personal data as defined by the GDPR, and thus subject to all the rights granted by it.

While we did not look deep into what kind of cookies were set, we did distinguish between domain cookies and third-party cookies. Domain cookies are cookies set by the same domain as the website you are visiting, i.e. a cookie set by IDG.se is considered a domain cookie if your browser address bar was at IDG.se at the time it was set. Third party cookies are set by any other domain. “Other domains” saving cookies can be from sources such as content delivery networks to speed-up serving of files or ad networks that the site visited is affiliated with. The number of cookies set by either type can be found in the table of features below.

Table of features

Here is a table arrangement of some of the key features. You can hover over the row titles to see explanations. This data was collected at the end of January 2019.

All of the strings given have been translated from Swedish. Hover over the English terms that are underlined in order to read the original translation.

	Aftonbladet	Blocket	DN	Expressen	Flashback	Hemnet	Hitta	IDG	Prisjakt	SVT
Consent dialog	Popper	Modal	Ribbon	Ribbon	Popper	Popper	Popper^[3]	Modal	Ribbon	Ribbon
Consent visibility	Below/Above fold^[1]	Covers page	Below/Above fold^[1]	Below/Above fold^[1]	Above fold	Above fold	Above fold	Covers page	Above fold	Above fold
Consent "More Info" link	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Consent term	I understand	OK, thank you!	Close	Close	I understand	I understand	OK	Approve	OK, roger that!	I understand
Consent customization?	Yes	Yes	No	No	No	No	Yes	Yes	Yes	No
Personalized ads?	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No ads
Policy link name	Personal Information Policy	Personal Information Processing	Personal Information Policy	Personal Information	Integrity	Integrity	Integrity	About cookies, personal information & copyright	Personal Information Policy	About personal information processing and cookies
Cookie policy link name	Cookie policy	Cookie policy	About cookies	Cookies	Integrity	Here is how Hemnet uses cookies	Integrity	About cookies, personal information & copyright	About cookies	About personal information processing and cookies
# of domain cookies on load^[2]	13	14	13	15	7	19	6	11	7	10
# of total cookies on load^[2]	25	19	114	136	9	75	55	13	10	15

Notes

Sometimes different based on a non-controllable factor. Example: Consent dialog below fold when a full page ad is shown, but above fold when such an ad is not shown.
The numbers given in this row are going to vary depending on many factors, and can only be seen as a rough guide to how many cookies a website actually tries to set
The Hitta.se front page does not scroll, so is not technically either a Popper or Ribbon (but it most resembles a Popper in appearance)

Recommendations for businesses

Despite most of the sites visited making a best-effort attempt at GDPR compliance, and no doubt having received the “all-clear” from the legal department, some have clearly done a worse job at implementation than others.

At TEDEH LTD we have always been strong advocates of taking the path of least resistance when it comes to user interface design. If the user expects something a certain way, do not confuse them with original terminology or clever design. This tenet is very much applicable when it comes to communicating GDPR compliance in the most effective way.

Here are some recommendations based on our findings for how an average business processing some level of personal data should approach this problem.

The consent dialog should be clearly visible and demand the users attention on first visit. It is the most important design choice for communicating GDPR compliance. Depending on how much personal data your website/business is processing either the modal dialog or popper dialog design element should be used.

Use the modal dialog when some level of consent is necessary for even basic usage of the website. For most other cases the popper dialog seems the best choice: it strikes the right balance between demanding too much attention from your users while still being plainly visible.

We believe that the ribbon dialog is a so-called dark pattern of design that should be avoided. Using a consent dialog of the ribbon type that is sometimes not even visible on the first page load does not inspire confidence in the way a particular organization handles personal data. A privacy conscious visitor might ask himself how much personal information is handled by the organization and their partners behind the website if they feel that they have to hide their privacy policy and consent dialog from the user.

2. Be clear with your visitors

Consent dialogs do not need to include a complete legal text, but should always link to a page with a complete policy. This policy page should be under the umbrella term “Integrity” or “Privacy”. It should contain information about cookies and how they are used, privacy policy, and specific rights and how to exercise them under the GDPR. This page should always be reachable from somewhere on your site even after consent has been granted by the user.

The consent dialog should have clear and unambiguous language to retrieve consent. Use “I approve” as the term affirming consent, not anything else. The important thing is to communicate that the user is actively granting the website and its partners the right to do something. Leaving choices such as “I deny consent” out as all of the visited websites have done is OK too. The user should understand that not giving at least a minimum level of consent means they are probably better off going somewhere else.

Most users should be OK with giving up some level of privacy in order to gain a perceived benefit. A website that can honestly explain this benefit in clear and concise language will have no problem collecting the necessary consent from their visitors, even for personalized advertising.

3. Provide customization if it can be done simply

Provide customization of the consent level if it can be done in a simple and intelligible way. Few users are probably going to use this feature, but providing it shows that you put forward the extra effort to cater to your privacy-minded visitors.

Referring the visitor to a third-party website where they can customize the consent given to a wide array of ad networks is a doubtful approach. What is the guarantee that adjusting settings on a third-party site will impact all possibly privacy-intruding partners and affiliates of a visited site?

We’ve also seen some sites providing customization by way of presenting the user with a huge list of different toggle buttons. These buttons are sometimes all “on” by default, granting the website the maximum level of consent. It goes without saying that presenting a user interface like this to the user invites the question on why exactly the website wants to make it hard for the user to revoke a blanket-level of consent. This is not exactly confidence inspiring and should be avoided.

The best way to provide customization seems to be to do as IDG.se has done, with two simple categories “Limited” and “Standard” that the user can chose from, optionally allowing more fine grained control if requested. Do not degrade/deny service for visitors choosing a lesser level of consent unless it is absolutely necessary and comes with clear motivation on why it is required.

Final remarks

Requesting consent from a visitor is actually not a very complicated undertaking. Following the recommendations and best-practices provided above we at TEDEH LTD hope that you have gained enough knowledge about how to present it to your visitors in the most clear and non-intrusive way possible.

Most of your visitors will immediately give the consent you need without a second thought. But, putting in the extra effort to also cater to your privacy-minded audience will pay dividends in the future. This slice of users is only going to grow in the future as people in general become more privacy-aware.