2018-01-02

EU Cookie Law dumbness

I've wanted to say something about this for a long time, but never got a round tuit.

The “EU Cookie Law” is supposed to give website visitors the right to refuse the use of cookies. The way this seems to be interpreted is that sites that use cookies must place an intrusive warning over their content for new visitors, advising them that cookies are in use, possibly offering some cookie settings and a policy for the site, and generally obtaining consent to use cookies. After some explicit or implicit action by the visitor, the warning goes away, and that particular visitor is never bothered with them again.

But there's a problem. The site remembers that the visitor has seen the warning by using a cookie! This means that you cannot use the site without using a cookie!

And it's all so pointless. Visitors already have the ability to refuse the use of cookies by configuring their browsers. Granted, not everyone is aware of this, and knows how, and browsers' configuration capabilities may vary, but it's a browser problem.

The worst part is that the cookie law prevents this browser problem being solved in the browser. If you turn cookies off, the site can't remember that you've already been warned, and always puts up the warning, often obscuring essential parts of the content.

Here's a site that seems to explain the Cookie Law, but also looks like it offers cookie compliance services (despite its .org suffix): The Cookie Law Explained The Cookie Law is a piece of privacy legislation that requires websites to obtain consent from visitors to store or retrieve any information on a computer or any other web connected device, like a smartphone or tablet.


Here are some more details, updated 2022-04-02.

Exascerbations

There are several variations to the way cookie consent is obtained, and these can make the problem worse:

  • The cookie consent form often pops up over the page content, and sometimes prevents scrolling, making the content inaccessible until the form is submitted.

    (I suspect the law requires the consent request to be ‘prominent’, and no site wants to risk being regarded as less than that. A visitor is likely more motivated to click it away as soon as possible too, the more intrusive it is.)

  • The consent form often dazzles with hundreds of options. Many sites will fortunately show all consent turned off (where possible) by default, but some don't. Most sites display the ‘Consent to all’ submission button much more prominently than the ‘Save current options’ button. Few have a ‘Reject all’ button, and are misleading anyway, since a cookie will be used to record the lack of consent.

  • JavaScript is often required to submit the consent form, so the user has to whitelist the site for JavaScript before he has had an opportunity to check the content, and judge whether it's worth the risk.

  • When the consent rejection cookie expires, you go through it all again. I dare say, sites are not motivated to renew it automatically.

Alternative solution

A better solution would be to allow visitors to exploit the fact that not retaining a cookie is sufficient to implement lack of consent, and then it's a matter of having browser functionality that lets the user choose which cookies to retain. The law should work more like this:

  1. As with the current law, require sites to classify their cookies by purpose. Cookie consent pop-ups often indicate that some of the site's cookies are essential for the functioning of the site, some are for performance, and some for marketing; there might be other classes, such as function enhancement. These broad classifications must have already been deemed good determinants for whether to retain a cookie, so they should continue in the new law.

  2. Require sites to attribute their cookies according to purpose classification. For example, if it's a performance cookie, set an attribute such as cookie-name=cookie-value; Complience=http://cookie.law.eu/performance. A site is then legally (or at least enforceably, or reputationally) required to ensure that the cookie is not used for other purposes. The purpose of a cookie is now available and machine-readable in its delivery.

This approach has the following benefits:

  1. Browsers can offer (say) whitelisting of cookies based on site and cookie purpose. When visiting a new site, the user is assured that no new cookies will be stored, unless the site is making an enforceable declaration that they will only be used for the declared purposes, and only if those purposes are whitelisted. Cookies that do not follow the attribution convention will be deemed to have unknown purpose, and can be automatically discarded.

    No pop-ups are required, because the site is not required to obtain consent. The browser simply refuses to give it by not storing the cookie. Notification of cookie policy can just be a discreet link.

    No JavaScript is required, because no pop-up is required.

  2. If a site is suspected of misusing a cookie, there must already be a way under the current law to investigate it and enforce the rules (or the law has no teeth!). Use the same mechanism here. The only difference is that the purpose of a cookie that is under investigation is embedded in its delivery, rather than in some separate policy declaration made by the site.

    This, of course, is a mechanism to be used rarely. The threat of its use should ensure compliance, and underpins the assurance that the visitor has about cookie use.


Note on EU membership and Brexit

I am not a Brexiteer. Brexit was dumb, is no real solution to anything, and has probably committed the UK to self-destruction. Being able to replace the EU Cookie Law is barely a Brexit benefit, and it could have been done while in the EU by persuading MEPs to vote on it. Even if the UK unilaterally changes it now, it hardly has the clout by itself to enforce it.