While we are supportive of individuals’ privacy in the virtual and real worlds and support the need for conscientious and ethical programing practices as well as educated and informed Internet use, we struggle to accept how this legislation results in increased consumer protection. We surmise that the underlying motivations are:
- promote public understanding of cookies
- raise the standards of website security
- allow users to control their cookies
We argue that at best this legislation is neutral in meeting these aims and at worst actively harmful to consumers and businesses. Putting to one side the chaos and disorder roiling in the EU and Eurozone which serves as a backdrop to this legislation, which some might consider throws its absurdity into stark relief, we’d like to step through these points with our critique on how the Cookie Law fails to address these issues and offer alternative solutions.
Promote Public Understanding of Cookies
At its heart, the Cookie Law pushes responsibility for understanding cookies onto businesses. In this way, users are not encouraged to investigate and understand what cookies are, the ways they are used and the implications for their privacy. Though a main feature of the Directive is the gaining of ‘informed consent’ from users, we feel that in practice compliance with Cookie Law will encourage users to abdicate responsibility for understanding cookies, thereby making a farce of the notion of ‘informed consent’.
- updating links to privacy policies to read ‘Privacy and Cookies’
- ensuring a user-friendly explanation of cookie use is included in privacy policies
How do these implementation models, or the legislation behind them, encourage ‘informed consent’? They don’t.
On the one hand, Cookie Law makes clear that businesses cannot assume that users have read their updated privacy policies, hence the need for other messaging on the interface to solicit users’ consent. So, the legislation assumes that users may not read or understand sites’ privacy policies. To us, this demonstrates a fundamental distrust of the public’s capacity for learning to understand the different uses of cookies. Of course, we’ve all encountered absurdly long and complex T’s & C’s and the nudge to have privacy policies written in a more ‘user-friendly’ manner isn’t entirely without basis. However, pre-Cookie Law privacy policies should have included a breakdown on what information was collected by the site and how that information was used. So, we ask, isn’t adding implementation details on the technology used to collect this information redundant overhead? Especially as the legislation is at pains to state that we cannot trust that users have read such policies?
Raise the Standards of Website Security
Cookies are essential to the operation of many sites. Cookies come in two main flavours:
- session cookies which expire when you log off a site or close a browser
- persistent cookies which have a set expiry date
Cookies are generally used to:
- help you log in to a site
- personalise a site, such as load your preferences or keep track of your shopping basket
- track affiliate leads
- collect data on traffic and site usage
There are a range of best practices that professional web developers (should) follow in order to ensure that those cookies that are integral to a site’s operation, such as log in and personalisation, are implemented in such a way as to minimise risks to users’ privacy and data security. This is particularly the case when collecting personal or payment details, when measures such as secure SSL connections and one-way data encoding may be used alongside session cookies.
Allow Users to Control Their Cookies
Cookie Law compliance can offer users a crude means of controlling their cookies on a per site basis. However, as discussed above these measures encourage an automatic response from users rather than a considered and truly ‘informed’ approach to how cookies may be used to track a user’s behaviour online. There are a number of steps users can already take to control how cookies may be used to track their lives online, with the different browser vendors offering varying levels of support. By making informed choices on what browser to use and how to use it, users can take much finer grained and ‘informed’ control of their privacy.
An Alternative to Cookie Law
We view the EU Cookie Directive as essentially a bureaucratic response to an important issue. We support the need for an educated and informed Internet-using public. While the Internet is wonderful in so many ways for consumers and businesses, as with any tool there are potential risks and we should, collectively, work towards raising the bar of basic understanding of how Internet software works and its implications for users’ privacy and safety online. We argue that this legislation does not make the Internet safer and more transparent for users. We see that pushing the expense of compliance and the responsibility for understanding cookies onto businesses, and more particularly their web developers, is an efficient and quantifiable means for ‘doing something’, but that ‘something’ disintegrates into a nonsense under closer inspection.
These solutions may not have the bureaucratic appeal of something like the EU Cookie Directive. They are holistic, expensive to deliver, long term and difficult to quantify. Yet, education is the only sustainable solution to creating a society that is empowered to use technology with ‘informed consent’.