Strictly necessary cookies

TL;DR

According to the GDPR, you may only place strictly necessary cookies without asking the user for permission. No speed test places strictly necessary cookies correctly.

Well-known speed tests such as Ookla's speedtest.net and SpeedOf.me place cookies in violation of the GDPR.

 

Contents

  1. Introduction
  2. Method of measurement
  3. Speed tests to test
  4. The measurements
  5. Conclusions
 

Introduction

The essence of the cookie law is the following:

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

  1. Receive users’ consent before you use any cookies except strictly necessary cookies
  2. Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received
  3. Document and store consent received from users
  4. Allow users to access your service even if they refuse to allow the use of certain cookies
  5. Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place

The following definition is used for Strictly necessary cookies:

Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

 

Method of measurement

In the earlier counting cookies test we discovered that there are speed tests that place cookies directly, without the user asking. According to the cookie law, this is only permitted if it concerns strictly necessary cookies.

Initially it was thought that it would be necessary to investigate whether the placed cookies are strictly necessary for the functioning of the speed test.

It quickly became clear that this is not necessary at all. There are various speed tests that can be performed without cookies. There is therefore no reason to place cookies that ensure that a speed test functions properly.

It is therefore easier to assume that cookies that are not strictly necessary are placed immediately. An inventory of the placed cookies should quickly provide clarity as to whether they are not strict (for example because they are used for advertisements).

Which cookies a website uses is investigated with the Chrome extention Get cookies.txt LOCALLY.

Speed tests to test

All speed tests that use at least 1 cookie, as mentioned in the counting cookies test, will be tested.

 

The measurements

  1. Bandwidth Place cookies used include _ga, _gid, _gat
  2. Bredbandskollen cookie used is OptanonConsent
  3. Broadband Speed Checker cookies used are uid, sc_userApi, sc_userLogged and sc_userEmail
  4. Comparitech cookies used include _gid, __gads, __gpi, _ga
  5. DSLReports cookies used include _ga, _gid, _gat, __gads, __gpi
  6. Fireprobe cookies used include _ga, __gads, __gpi
  7. M-Lab cookies used include _ga, _gid, _gat
  8. Meter.net cookies used are timezone and windowwidth
  9. N Perf cookies used include _ga, _gid, _gat
  10. Ookla Speedtest cookies used include _ga, _gid, __gads, __gpi
  11. Open Speed Test cookies used include _ga, _gid
  12. SamKnows cookies used include _ga, _gid, _gat
  13. SpeedCheck cookies used include _ga, _gid
  14. SpeedOf.me cookies used include _gid, _ga, __gads, __gpi
  15. SpeedOf.me API Sample Page cookies used include _ga, _gid
  16. SpeedSmart cookies used include _ga
  17. Speedtest4.PHP cookies used are __gads, __gpi
  18. TestMy.net cookies used include _ga
  19. Toast cookies used include _ga, __gads, __gpi
  20. Which Broadband Speed Test cookies used are source_code and OptanonConsent

At the page How Google use cookies the following is stated: ‘_ga’, the main cookie used by Google Analytics, enables a service to distinguish one visitor from another and lasts for 2 years. Any site that implements Google Analytics, including Google services, uses the ‘_ga’ cookie

That the website owner uses Google Analytics is not strictly necessary according to the cookie law. We therefore conclude that the majority of the speed tests on this page do not comply with the cookie law.

Hence speed tests that might comply with the cookie law (because they don't place a Google Analytics cookie without asking) are: Bredbandskollen, Broadband Speed Checker, Meter.net, Speedtest4.PHP and Which Broadband Speed Test.

Testing some cookies placed by this speed tests with Cookiepedia give the following results:

  1. OptanonConsent is a strictly necessary cookie
  2. uid is a performance cookie
  3. timezone is an unknown cookie
  4. __gads is a targeting/advertising cookie
  5. source_code is an unknown cookie

Bredbandskollen

Based on the above results it seems that only Bredbandskollen correctly sets a stricly necessary cookie. However, the English version of Bredbandskollen requires that you accept the cookies before you are able to read their cookie statement. Hence it is not possible to read what the OptanonConsent cookie do and why this is a strictly necessary cookie.

You first have to accept cookies before you are able to read the cookie statement of Bredbandskollen

At the page Privacy policy for Bredbandskollen it is stated that The Swedish Version of this policy shall prevail.

At the Swedish page it is stated that:

Nödvändiga kakor krävs för att webbplatsen ska fungera. Det kan vara funktioner som gör att du kan fylla i formulär, inställningarna för dina personliga preferenser eller inloggning. I din webbläsare kan du välja att blockera eller ställa in så du blir varnad för dessa kakor, men tänk på att hela eller delar av webbplatsen inte fungerar då. Nödvändiga kakor lagrar inte någon personligt identifierbar information.

Translated with Google Translate it says:

Necessary cookies are required for the website to function. These may be functions that allow you to fill in forms, the settings for your personal preferences or login. In your browser, you can choose to block or set up so that you are warned about these cookies, but keep in mind that all or parts of the website will not work then. Necessary cookies do not store any personally identifiable information.

Note that this definition is not according to the cookie law! There is a difference between strictly necessary cookies and preference cookies.

When you go to the Swedisch version of Bredbandskollen then you are able to read the Swedisch privavy policy without accepting cookies.

 

Conclusions

We therefore conclude that no speed test places strictly necessary cookies correctly.