How Web Reality Killed the Cookie Law

Trajan Przybylski
Cookie behind broken glass

When the UK’s Information Commissioner’s Office (ICO) announced the infamous Cookie Law in 2010 a wave of panic echoed throughout the Internet. It was arguably the baldest attempt to regulate the Web that we have seen in recent years. Lately, the legislation has instead become a subject of universal ridicule and a startling epitome of bureaucratic impotence in the digital world. With the ICO back pedalling from its requirement for an “explicit” consent to store and access cookies as well as low level of compliance, led by the Internet giants such as Google, Facebook, and Amazon, many announced the Cookie Law to be dead. Its only legacy seems to be the loud noise caused by the burst of the gigantic and ill-thought regulatory bubble.

But why exactly was the Cookie Law such a horrendous idea? Does its failure mean that there is no need to be concerned about user privacy? And if the underlying problem of tracking technologies such as cookies is indeed a real one then what is the optimal response? To start answering these question let’s first look at what started this whole mess.

A Brief History of the Cookie Law

The Cookie Law ultimately derives from the 2009 amendment to the 2003 Privacy and Electronic Communications (EC Directive) Regulations (you can read the document here if you’re really curious). So if you would like to thank somebody for being blessed with the Cookie Law you should send your letters the European Union, the Goddess of bureaucracy, to which all believers in the remedial power of red tape pray to.

Essentially, the amended Directive required consent for storage or access to information stored on a subscriber or users terminal equipment. Though the regulation does not single out any particular tracking technology, most of the attention that followed has been given to the use of cookies. The Directive was born out of concerns about online tracking, security of sensitive personal data, and the use of spyware. However, how exactly the EU officials came up with their brilliant solution to the problem is not clear. It’s pretty obvious, though, that most powers in making such decisions lie in the hands of senior (read “senile”) civil servants, whose idea of sending an email is to leave a message on a tape recorder and pass it to their personal assistant. To them, Internet technology is just a black box. It could be governed by an all-powerful Internet fairy or powered by an army of unicorns shooting rainbows of data out of their asses. Frankly, they couldn't care less. Their gap in fundamental knowledge was left unfilled as the legislation process went on without the support of proper consultation with independent industry experts. If the bureaucrats had at least spoken to ordinary web users, like their 13 year old granddaughter, the absurdity of the law would have been immediately exposed and we wouldn't be in this mess right now.

After the EU passed the Directive the ICO’s hands were pretty much tied. So tied in fact, that the UK actually missed the deadline set for 25 January 2011 (but there’s no shame in that as virtually the entire continent didn’t make it on time). The ICO delayed the implementation of the law by a year, and thus the Cookie Law came into force only on 26 May 2012.

However, the most embarrassing thing is that the ICO fundamentally altered its cookies guidance by allowing the use of “implied” consent just 11 hours before the new deadline! The well deserved criticism of the way ICO handled the introduction of the Cookie Law ensued, including this unflattering article by the Guardian. The difference between “explicit” and “implied” consent is no small issue as it betrays the Cookie Law to be nothing more than a legislative illusion. The original EU Directive does not define what is meant by “consent” (perhaps the definition got lost when the EU’s octogenarians were sharing their memos using mail pigeons). Originally, the ICO interpreted it as “explicit” consent, which effectively means that the user has to directly confirm the use of cookies before the server accesses user’s local machine (i.e. the user has to “opt in”). Anyone who has built basic dynamic websites will immediately recognize that this is a Catch-22 (how can I see whether the visitor has made the decision without automatically tracking traffic to the site?). But even more importantly, explicit consent is a user experience disaster – it’s even a bigger distraction than animated ads (because it’s a call to action) and a huge waste of time for the user.

Flooded by well-deserved criticism from web users and developers alike, the ICO chickened out at the last minute by allowing the use of “implied” consent. The term is an elusive one. It’s supposed to mean consent inferred from “specific and informed” action that somehow constitutes “an indication of [user’s] wishes”. According to the ICO’s imagination, the implied consent rule can be implemented by showing a big-ass notice (exact size unclear) that says the site is using cookies (exact wording unclear). By continuing to use the website having read the notice the user gives an “implied” consent for the access and storage of cookies. The user has also an option to “opt out” by leaving the website. To make things even more hilarious, some experts claim that the implied consent clause actually violates the stipulations of the Directive and means that Britain is now out of step with EU law.

Digressing a little bit, I would like to observe that this is a story that we see over and over again. So humanity has a problem and it comes up with a solution. It writes down the solution on a piece of paper (a 1,000 page long piece of paper) and declares it a Law. The piece of paper is then treated as if it was passed on to us by our ancient ancestors who in turn received it from a long-forgotten deity. Everything that the Law declares is now holy and the original context, i.e. the problem at hand, is ignored and must no longer be spoken of. Although, words are nothing more but empty concepts made up by humans for humans, the Law brings them to life by pretending there’s a real substance behind them. Finally, the lawyers begin their mesmerizing dance around those words by taking turns at guessing what this real substance might be. The words are now declared worthy of offerings and it is perfectly OK to fine people and throw them into prisons in the name of the Law. Well done humanity!

But going back to the main story, the final nail in the Cookies Law coffin was added by the ICO’s announcement in January 2013 that they would stop asking users for permission to set cookies on their own website, thus settling for the ill-defined implied consent. This prompted the now famous infographics created by Silktide, a software development company and a staunch anti-Cookie Law campaigner. The ICO’s move has led to the universal acceptance that the Cookie Law is finally dead.

The Current State of Affairs

The Cookie Law is not officially dead, however, despite being brutally neutered. According to the official Cookie Guidance, which you can download from ICO’s website, if your site uses cookies you need to ensure you meet the following three obligations:

  1. make an audit of cookies that are used on your website, i.e. write them all down and publish the list somewhere on your website (ideally in a separate “cookies policy” page);
  2. explain to the user what a cookie is, how they work, etc.;
  3. obtain user consent (“implied” consent will do just fine);

The guidance, as you can expect, is very vague and too often shies away from giving definite recommendations. And it’s not because the document is poorly written but because the Cookie Law often defies logic and even the ICO cannot fathom the full scope of its implications. Arguably, the first two steps are actually fairly sound. For most websites they simply mean revising the cookie policy statement. The “implied” consent rule, on the other hand, is still a huge pain and is subject to interpretation. In order to have the best chances that your website complies with the Cookie Law you will need to put up an obtrusive banner giving your visitors a contrived scare about cookies. However, it is not clear whether this is strictly necessary. My favourite part of the Cookie Guidance is a sentence that immediately follows the elaborate explanation of the implied consent rule, in which the ICO politely reminds the Reader that the aforementioned best approach does not mean “doing nothing”. Doesn't the phrase indirectly say that whatever was said before it is probably just a load of bullshit?

Because of this fog surrounding definition of implied consent, it is currently impossible to get a credible estimate on the Cookie Law compliance rate. One study showed the compliance rate to be around 12% as of August 2012. However, the estimate was based on a sample of 231 top consumer sites, and hence tells little about the overall picture. Some of the biggest websites have ostensibly ignored the ICO’s recommendations. This is despite the fact the ICO has envisage the use of monetary penalty of up to £500,000. However, the catch is that the ICO is extremely unlikely to take serious action against anyone as it would need to prove deliberate wrongdoing.

So why was Cookie Law such a Bad Idea?

By far the biggest drawback of the entire Cookie Law initiative is that it never had clearly defined objectives. In fact, nobody can say that the Cookie Law failed because we cannot know what it aimed to do. The 30-page long Cookie Guide has no section titled “Why we are doing this”. The only issue that the ICO managed to identify is a low level of consumers’ understanding of the Internet and cookies. This particular observation came from internet cookies research commissioned by the Department for Culture, Media and Sport and carried out by PricewaterhouseCoopers LLP (PwC). Among other things, the study found that 37% of surveyed Internet users did not know how to manage cookies. However, if the sole goal was to raise awareness of tracking technologies then the Cookie Law constitutes an outrageously expensive solution. According to PwC’s estimates, the ‘Opt-in’ requirement would cost consumers between £190- £235 million per annum. And this is only the "time cost" incurred by Internet users, which comes from the time wasted on managing the use of internet cookies. It does not include direct costs faced by online publishers, displacement effects or efficiency losses, which mean that the total cost of the Cookie Law should most likely be reckoned in billions of pounds. Surely, putting up some billboards or buying Google’s ads educating people about cookies and safe ways to use the Web would be much cheaper. And let’s not forget that the Law comes into force in the aftermath of the worst financial crisis since the Great Depression. The last thing that local businesses need right now is yet another layer of costly bureaucracy.

Despite the striking ambiguity in purpose, we can suspect that the brilliant minds behind the Cookie Law also hoped it would solve some of the serious internet security problems such as abuse of personal information, financial loss, unsolicited emails, and other privacy violations. Critics agree that there is no way the Cookie Law could have any such impact. There is absolutely no mechanism in the proposed Law that helps identify malicious website owners or prevent them from exploiting internet users. In a similar vein you could order the entire population to wear T-shirts that say “I’m not a Burglar” in the hope that it would help law enforcement agencies to swiftly pick up thieves who heedlessly continue wearing their black & white striped clothes.

Finally, the Cookie Law is unenforceable. With millions of websites in the UK alone the ICO’s staff would never be able to audit all cookie statements in their lifetime. In fact, the PwC’s report failed to identify the number of websites that use cookies. The study only states that cookies are “widely used”, the number of business employing them is “large”, and website adjustment costs will therefore be “high”. Great job PwC. If this was on a school test you would get an F+.

Alternative Solution – Enhanced Browser Settings

Despite the sarcastic tone of most articles addressing the Cookie Law topic, I believe that none of the commentators is trying to suggest that online security and user privacy are unimportant issues. As mentioned before, the whole absurdity of the Cookie Law is that the “problem” was never properly identified. But clearly user privacy is a growing concern due to the rise of social media and behavioural advertising. It is now common to hear stories such as that of Facebook showing gay-targeted ads to homosexual users before they even had a chance to let their families and friends know they were gay (see for example this BuzzFeed article).

So what would be the best way to improve privacy and make browsing safer? Most experts agree the solution should lie on the browser side. This means making web browsers provide users with relevant information about cookies and the capability to accept and reject cookies from websites through visible browser settings. As most of the requirements for regulatory compliance would focus on a small number of browser vendors, the solution would not impose those huge economy-wide costs characteristic of the Cookie Law. Enhanced browser settings would also improve the lives of internet users as they could set their cookies preferences in one go instead of wasting time figuring cookie controls on every single website they visit.

Interestingly, the ICO is not completely unaware of this alternative solution. It has simply decided to ignore it. Its Cookie Guide states that “at present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie”. So just to sum up the ICO’s position, it is perfectly OK to force millions of businesses to spend money on implementing the Cookie Law but working with a handful of browser vendors to improve privacy settings is out of the question.


The Cookie Law has exposed the appalling incompetence of bureaucrats in the digital era, both those in Brussels and at home. While it’s certainly not the first policy change that did absolutely no good while causing great harm to the economy and instilling general chaos, the utter absurdity of the entire legislative process reveals that the officials are nowhere near understanding the underlying internet privacy problems, let alone tackling them.

To people who are not on civil service payroll it should be blatantly clear that the complexity of the Web requires involvement of technical experts, not smooth talking government officials. Hence, the best place to generate feasible solutions and drive change would be the industry itself. The World Wide Web Consortium (W3C), our main international web standards organization, is currently developing a number of web privacy tools, such as the “Do Not Track (DNT)” protocol. The problem is that the W3C and other independent regulators have been awfully quite in the wake of the EU’s disturbing Privacy and Electronic Communications Directive. The industry must retake its lead in driving the digital agenda. The W3C should become a more vocal advocate of user privacy. Without its strong leadership the EU officials are sure to continue running amok.

Also, it probably wouldn't hurt if Sir Tim Berners-Lee called Jose Barosso and said “What the f*** have you done with my Internet!?”

Facebook icon
Twitter icon
Reddit icon icon
Pinterest icon


Latest articles

  • Why Google's Approach to Privacy is Wrong

    8 Jul

    Google Privacy Policy (Logo Redesign)

    Privacy Watchdogs in the UK, Germany and Italy have threatened to take legal action against Google due to the internet giant's privacy policy statement altered last year to unify data collection across its numerous online services. The Information Commissioner's Office (ICO), Britain's information rights authority, claims that the unified privacy policy is not clear for users of individual services.

    read more

  • Learn to Design Like a Google Pro

    5 Jul

    Google Design Principles

    Despite its commitment to focus on developing its online search services, Google Inc. is now more of a conglomerate, with its product range spanning from online applications and services to hardware consumer goods such as Chromebook and Google Glass. This article explains how Google has managed to maintain a consistent development of its brand identity across its entire product range and stay true to its beautifully minimalist, humble, and yet often quirky design style.

    read more