EU Cookie Directive: What’s It Good For?

EU Cookie Directive

On 25 May 2012, the EU Cookie Directive and the updated UK Privacy and Electronic Communications Regulation came into force. This legislation requires businesses’ websites to comply with a (rather loose) set of requirements in order to gain users’ ‘informed consent’ to use cookies. The stated goal of the EU Cookie Directive is ‘to increase consumer protection’. We’ve been working through several iterations of our own solution to make WordPress comply with UK cookie law and we can’t help but feel this legislation is an ill-conceived nonsense.

We are supportive of individuals’ privacy in the virtual and real worlds. We also support the need for conscientious and ethical programming practices as well as educated and informed Internet use. Nevertheless, we struggle to accept how the EU Cookie Directive results in increased consumer protection. We surmise that the underlying motivations are:

  • promote public understanding of cookies
  • raise the standards of website security
  • allow users to control their cookies

We argue that at best this legislation is neutral in meeting these aims and at worst actively harmful to consumers and businesses. Putting to one side the chaos and disorder roiling in the EU and Eurozone, the backdrop to this legislation, which some might suggest throws the EU Cookie Directive’s absurdity into stark relief, we’d like to step through these three points. We will offer our critique on how the EU Cookie Directive fails to address these issues and we will offer alternative solutions.

EU Cookie Directive: Promote Public Understanding of Cookies

At its heart, the EU Cookie Directive pushes responsibility for understanding cookies onto businesses. In this way, consumers are not encouraged to investigate and understand what cookies are, the ways they are used and the implications of cookies for their own privacy. Though a main feature of the EU Cookie Directive is the gaining of ‘informed consent’ from users, we feel that in practice compliance with the EU Cookie Directive encourages consumers to abdicate responsibility for understanding cookies, thereby making a farce of the notion of ‘informed consent’.

Implementation models offered by the ICO include several measures to ensure websites provide clear and prominent notification and information on a site’s use of cookies, such as:

  • messages asking for users’ consent to use cookies
  • updating links to privacy policies to read ‘Privacy and Cookies’
  • ensuring a user-friendly explanation of cookie use is included in privacy policies

How do these implementation models, or the legislation behind them, encourage ‘informed consent’? They don’t.

On the one hand, the EU Cookie Directive makes clear that businesses cannot assume that users have read their updated privacy policies, hence the need for other messaging on the interface to solicit users’ consent. The legislation assumes that users may not read or understand sites’ privacy policies. To us, this demonstrates a fundamental distrust of the public’s capacity for learning to understand the different uses of cookies. Of course, we’ve all encountered absurdly long and complex T’s & C’s and the nudge to have privacy policies written in a more ‘user-friendly’ manner isn’t entirely without basis. However, pre-EU Cookie Directive privacy policies were supposed to included a breakdown on what information was collected by the site and how that information was used. So, we ask, isn’t adding implementation details on the technology used to collect this information redundant? Especially, as the legislation is at pains to state that we cannot trust that users have read such policies?

On the other hand, users will rapidly become ‘deaf’ to cookie notifications and alerts, either ignoring them or accepting them out of habit to get on with using a site. We cannot accept that adding messaging to alert users to the use of cookies empowers Internet users to understand the ways in which cookies may be used and how cookies affect their own browsing experience or their privacy online. It appears to us, that these measures serve only ‘to protect oneself from legal and administrative penalties, criticism, or other punitive measures’ (Wikipedia), which, by pushing responsibility for understanding the workings of cookies onto businesses, denigrates the intelligence of users, actively erodes public understanding of Internet technology, all while impacting the bottom lines of businesses and the ability of businesses to monitor and improve the performance of their sites.

Raise the Standards of Website Security

Cookies are essential to the operation of many sites. Cookies come in two main flavours:

  • session cookies which expire when you log off a site or close a browser
  • persistent cookies which have a set expiry date

Cookies are generally used to:

  • help you log in to a site
  • personalise a site, such as load your preferences or keep track of your shopping basket
  • track affiliate leads
  • collect data on traffic and site usage

There are a range of best practices that professional web developers (should) follow in order to ensure that those cookies that are integral to a site’s operation, such as log in and personalisation, are implemented in such a way as to minimise risks to users’ privacy and data security. This is particularly the case when collecting personal or payment details, when measures such as secure SSL connections and one-way data encoding may be used alongside session cookies.

While ensuring that all businesses’ Internet software conforms to best practices may be a laudable goal that might weed-out ‘rogue sites’ and increase consumers’ privacy, this legislation in no way ensures that best practices are followed, only that the use of cookies (wise, ethical, useful or otherwise) is detailed for users. As long as a business has clearly alerted users to the use of cookies, explained what the cookies do and gained ‘informed consent’ as appropriate, where a business’s software has less robust security measures around its use of cookies and collection of sensitive data, it is free to carry on that implementation.

Allow Users to Control Their Cookies

Compliance with the EU Cookie Directive can offer users a crude means of controlling their cookies on a per site basis. However, as discussed above these measures encourage an automatic response from users rather than a considered and truly ‘informed’ approach to how cookies may be used to track a user’s behaviour online. There are a number of steps users can already take to control how cookies may be used to track their lives online, with the different browser vendors offering varying levels of support. By making informed choices on what browser to use and how to use it, users can take much finer grained and ‘informed’ control of their privacy.

An Alternative to EU Cookie Directive

We view the EU Cookie Directive as essentially a bureaucratic response to an important issue. We support the need for an educated and informed Internet-using public. While the Internet is wonderful in so many ways for consumers and businesses, as with any tool there are potential risks and we should, collectively, work towards raising the bar of basic understanding of how Internet software works and its implications for users’ privacy and safety online. We argue that this legislation does not make the Internet safer and more transparent for users. We see that pushing the expense of compliance and the responsibility for understanding cookies onto businesses, and more particularly their web developers, is an efficient and quantifiable means for ‘doing something’, but that ‘something’ disintegrates into a nonsense under closer inspection.

So how can we ‘increase consumer protection’? Education, education, education. Education is fundamental to creating a society of informed Internet users. ‘Education’ from strong literacy skills to an understanding of how software is built rather than just how it can be used. At base, the Internet is about communication, it is about sharing words, it is a highly literate space. While businesses should ensure that their privacy policies and terms of use are written for lay people rather than techs or lawyers, it is important that our community at large has the reading comprehension skills to read and understand this information. The Internet is awash with information and it is through strong literacy skills that users can take full advantage of using the Internet to feed their curiosity, share their ideas and do so in a safe an ‘informed’ manner.

In schools, computer science needs to increasingly emphasise software development – from the basics of logic and program language syntax to best practices and industry standards – alongside core literacy of software usage. Only through education as a means of facilitating the nations’ investigation of how the Internet works, can we hope to generate a population of users who are in a position to make ‘informed consent’ to cookies or any other Internet technology known or yet to be invented! Rather than ‘hard-coding’ specific requirements for businesses to meet in what they tell users about their use of cookies, as users we’d benefit much more from a bigger picture understanding of how the Internet works and how we can tailor our browsing to meet our individual expectations of privacy.

These solutions may not have the bureaucratic appeal of something like the EU Cookie Directive. They are holistic, expensive to deliver, long term and difficult to quantify. Yet, education is the only sustainable solution to creating a society that is empowered to use technology with ‘informed consent’.


Browser Cookie Basics
Cookies: Leaving a Trail Online
How To Comply with Cookie Law