The European War on Cookies

Cookies

On May 26, the new EU-mandated “Cookie Law” will go into effect in the UK.  This law requires that websites give users the ability to opt-out of all tracking. The UK and Ireland took this a step further and require users to opt-in.  Website owners in the UK that fail to comply with the law will face fines up to £500,000.

What does this mean for Internet users? In practical terms, it means users will now start seeing pop-ups or splash screens that require them to give consent to receiving cookies before they can access a website that uses cookies (which is the vast majority of websites on the Internet).  Not only will this annoy users and slow them down from visiting sites, but after seeing this on every single website they visit, users will likely grow accustomed to these notices and click “Accept” without giving it a second thought.  After clicking a few thousand of these, the law will likely have conditioned most users to accept any privacy notice they receive. So much for the strategy of teaching users to be more privacy aware…

Over time, I also wouldn’t be surprised to see developers start to create something like an “Auto Cookie Accept” browser plug-ins that automatically closes and accepts these types of privacy notices (e.g., an improved version of the popular pop-up blocker plug-in). After all, computers are great at automating tasks that humans don’t want to do.

However, not all sites will necessarily add these opt-in notices. One alternative is that some websites may avoid the pop-ups and splash screens by just eliminating the use of cookies.  This means that these websites would give up effective ad monetization and the use of website analytics, customization and personalization, and social networking.  No Google Analytics, no Facebook “Like” buttons, and no “set your language” features. Or basically they’d roll back their websites to the version they were using around 1996.

To see an example of the new cookie law in action, visit the website of NDS, a UK-based company that makes software for the pay-TV industry.  You will see a splash screen like this:

NDS website requiring users to consent to cookies to use site

You can click “more information on the cookies we use and why” and see what kinds of cookies this site collects. There are three types:

  • A cookie to track whether you have accepted the use of cookies.
  • Cookies to allow the site to work (e.g. set the language, set the region, set a session ID to allow the ASP.net applications on the site to run).
  • Cookies for analytics, including specifically Google Analytics, a widely used web site analytics tool.

Not only are none of these cookies problematic, ironically, one of the three types of cookies is implemented just to track compliance with the cookie law.  Imagine how much wasted productivity is lost for every user that must click this type of notice every time they visit a new site.  And the process starts all over whenever users clear their browsers, get new computers or mobile devices, or the site’s privacy policy changes.

Will every UK-based site look like this come Saturday?  No.  Many sites are simply going to miss the deadline on Saturday.  In fact, the BBC has reported that even the government has failed to properly implement informed consent on its websites and that the majority of UK government sites will fail to comply in time.  And an informal survey of FTSE 100 sites shows many have quite a ways to go to fully comply with the law.

Not surprisingly many EU website owners are unhappy with these regulations and the burden this puts on them. While it should be obvious that making the Internet harder to use for businesses and consumers is not a path forward for innovation and economic growth, clearly many EU policymakers have not gotten the message.  In response, some groups have gotten together to create a website to “Stop the War on Cookies” and encourage users to petition against the new law.  One supporter has made video demonstrating the absurdity of the law for the average website owner/operator (I disagree with the complaint in the video about some US companies, but that is for another post):

While I don’t expect this law to be overturned anytime soon, pressure from Internet users can be intense. It would be interesting to see the EU’s response if sites complying with this new law implemented a SOPA-like protest and included in the splash screen a notice to direct users unhappy with these notices to a protest site.

Photo credit: Flickr User Jeremy Keith

Print Friendly

About the author

Daniel Castro is a Senior Analyst with ITIF specializing in information technology (IT) policy. His research interests include health IT, data privacy, e-commerce, e-government, electronic voting, information security and accessibility. Before joining ITIF, Mr. Castro worked as an IT analyst at the Government Accountability Office (GAO) where he audited IT security and management controls at various government agencies. He contributed to GAO reports on the state of information security at a variety of federal agencies. He has a B.S. in Foreign Service from Georgetown University and an M.S. in Information Security Technology and Management from Carnegie Mellon University.