US (GN): Google is to restrict the number of advertising cookies on websites accessed via its Chrome browser, in response to calls for greater privacy controls. It said that it would phase out third-party cookies within the next two years, Cookies are small text files that are used to track users across the web.

It comes as a study suggests that many cookie consent pop-ups are flouting EU privacy laws.

Justin Schuh, Google’s director of Chrome engineering, said in a blogpost: “Users are demanding greater privacy - including transparency, choice and control over how their data is used - and it’s clear the web ecosystem needs to evolve to meet these increasing demands.”

Third-party cookies, which follow users from site to site tracing their browsing habits, have also been banned by Apple, Microsoft and Mozilla. Websites will still be able to use their own first-party cookies to track users.

The move comes as Ireland’s data protection authority investigates Google’s online advertising business and the practice of real-time bidding for online ads.

Meanwhile, researchers at the Massachusetts Institute of Technology, University College London (UCL) and Aarhus University have conducted a joint study into the use of cookies.

They analysed five companies which offer consent management platforms (CMP) for cookies used by the UK’s top 10,000 websites.

Despite EU privacy laws stating that consent for cookies must be informed, specific and freely given, the research suggests that only 11.8% of the sites met the minimal requirements of GDPR (General Data Protection Regulation) law.

Instead they were found to blanket data consent options in complicated site design, such as:

Just over half the sites studied did not have “rejecting all” tracking as an option.

Of the sites which did, only 12.6% made it accessible through the same or fewer clicks as the option to “accept all”.

Quantcast, the largest company analysed, typically asks for permission to share data with 542 different companies, explains study co-author Michael Veale, from UCL.

In response, the firm told the BBC: “Our default recommended settings grant equal prominence to the “I Accept” and “I Do Not Accept” buttons, and do not pre-select choices for any data processing purposes. While we strongly encourage that these defaults are used, website owners ultimately retain control over the customisation and presentation of their properties.

Crownspeak, another CMP provider, said that its default configuration was also set up to enforce prior consent.

The researchers estimate it would take, on average, more than half an hour to read through what the third-party companies are doing with your data, and even longer to read all their privacy policies.

“It’s a joke and there’s no actual way you could do this realistically,” said Dr Veale.

“Consent should always have been a clear positive action, laws on tracking have been unenforced for a decade and the result is regulators not knowing where to start to cope with the scale of the widespread illegality.”