We are supportive of individuals’ privacy in the virtual and real worlds. We also support the need for conscientious and ethical programming practices as well as educated and informed Internet use. Nevertheless, we struggle to accept how the EU Cookie Directive results in increased consumer protection. We surmise that the underlying motivations are:
- promote public understanding of cookies
- raise the standards of website security
- allow users to control their cookies
We argue that at best this legislation is neutral in meeting these aims and at worst actively harmful to consumers and businesses. Putting to one side the chaos and disorder roiling in the EU and Eurozone, the backdrop to this legislation, which some might suggest throws the EU Cookie Directive’s absurdity into stark relief, we’d like to step through these three points. We will offer our critique on how the EU Cookie Directive fails to address these issues and we will offer alternative solutions.
EU Cookie Directive: Promote Public Understanding of Cookies
At its heart, the EU Cookie Directive pushes responsibility for understanding cookies onto businesses. In this way, consumers are not encouraged to investigate and understand what cookies are, the ways they are used and the implications of cookies for their own privacy. Though a main feature of the EU Cookie Directive is the gaining of ‘informed consent’ from users, we feel that in practice compliance with the EU Cookie Directive encourages consumers to abdicate responsibility for understanding cookies, thereby making a farce of the notion of ‘informed consent’.
- updating links to privacy policies to read ‘Privacy and Cookies’
- ensuring a user-friendly explanation of cookie use is included in privacy policies
How do these implementation models, or the legislation behind them, encourage ‘informed consent’? They don’t.
On the one hand, the EU Cookie Directive makes clear that businesses cannot assume that users have read their updated privacy policies, hence the need for other messaging on the interface to solicit users’ consent. The legislation assumes that users may not read or understand sites’ privacy policies. To us, this demonstrates a fundamental distrust of the public’s capacity for learning to understand the different uses of cookies. Of course, we’ve all encountered absurdly long and complex T’s & C’s and the nudge to have privacy policies written in a more ‘user-friendly’ manner isn’t entirely without basis. However, pre-EU Cookie Directive privacy policies were supposed to included a breakdown on what information was collected by the site and how that information was used. So, we ask, isn’t adding implementation details on the technology used to collect this information redundant? Especially, as the legislation is at pains to state that we cannot trust that users have read such policies?
Raise the Standards of Website Security
Cookies are essential to the operation of many sites. Cookies come in two main flavours:
- session cookies which expire when you log off a site or close a browser
- persistent cookies which have a set expiry date
Cookies are generally used to:
- help you log in to a site
- personalise a site, such as load your preferences or keep track of your shopping basket
- track affiliate leads
- collect data on traffic and site usage
There are a range of best practices that professional web developers (should) follow in order to ensure that those cookies that are integral to a site’s operation, such as log in and personalisation, are implemented in such a way as to minimise risks to users’ privacy and data security. This is particularly the case when collecting personal or payment details, when measures such as secure SSL connections and one-way data encoding may be used alongside session cookies.
Allow Users to Control Their Cookies
Compliance with the EU Cookie Directive can offer users a crude means of controlling their cookies on a per site basis. However, as discussed above these measures encourage an automatic response from users rather than a considered and truly ‘informed’ approach to how cookies may be used to track a user’s behaviour online. There are a number of steps users can already take to control how cookies may be used to track their lives online, with the different browser vendors offering varying levels of support. By making informed choices on what browser to use and how to use it, users can take much finer grained and ‘informed’ control of their privacy.
An Alternative to EU Cookie Directive
We view the EU Cookie Directive as essentially a bureaucratic response to an important issue. We support the need for an educated and informed Internet-using public. While the Internet is wonderful in so many ways for consumers and businesses, as with any tool there are potential risks and we should, collectively, work towards raising the bar of basic understanding of how Internet software works and its implications for users’ privacy and safety online. We argue that this legislation does not make the Internet safer and more transparent for users. We see that pushing the expense of compliance and the responsibility for understanding cookies onto businesses, and more particularly their web developers, is an efficient and quantifiable means for ‘doing something’, but that ‘something’ disintegrates into a nonsense under closer inspection.
These solutions may not have the bureaucratic appeal of something like the EU Cookie Directive. They are holistic, expensive to deliver, long term and difficult to quantify. Yet, education is the only sustainable solution to creating a society that is empowered to use technology with ‘informed consent’.