When the UK’s Information Commissioner’s Office (ICO) announced the infamous Cookie Law in 2010 a wave of panic echoed throughout the Internet. It was arguably the baldest attempt to regulate the Web that we have seen in recent years. Lately, the legislation has instead become a subject of universal ridicule and a startling epitome of bureaucratic impotence in the digital world. With the ICO back pedalling from its requirement for an “explicit” consent to store and access cookies as well as low level of compliance, led by the Internet giants such as Google, Facebook, and Amazon, many announced the Cookie Law to be dead. Its only legacy seems to be the loud noise caused by the burst of the gigantic and ill-thought regulatory bubble.
But why exactly was the Cookie Law such a horrendous idea? Does its failure mean that there is no need to be concerned about user privacy? And if the underlying problem of tracking technologies such as cookies is indeed a real one then what is the optimal response? To start answering these question let’s first look at what started this whole mess.
A Brief History of the Cookie Law
The Cookie Law ultimately derives from the 2009 amendment to the 2003 Privacy and Electronic Communications (EC Directive) Regulations (you can read the document here if you’re really curious). So if you would like to thank somebody for being blessed with the Cookie Law you should send your letters the European Union, the Goddess of bureaucracy, to which all believers in the remedial power of red tape pray to.
After the EU passed the Directive the ICO’s hands were pretty much tied. So tied in fact, that the UK actually missed the deadline set for 25 January 2011 (but there’s no shame in that as virtually the entire continent didn’t make it on time). The ICO delayed the implementation of the law by a year, and thus the Cookie Law came into force only on 26 May 2012.
Flooded by well-deserved criticism from web users and developers alike, the ICO chickened out at the last minute by allowing the use of “implied” consent. The term is an elusive one. It’s supposed to mean consent inferred from “specific and informed” action that somehow constitutes “an indication of [user’s] wishes”. According to the ICO’s imagination, the implied consent rule can be implemented by showing a big-ass notice (exact size unclear) that says the site is using cookies (exact wording unclear). By continuing to use the website having read the notice the user gives an “implied” consent for the access and storage of cookies. The user has also an option to “opt out” by leaving the website. To make things even more hilarious, some experts claim that the implied consent clause actually violates the stipulations of the Directive and means that Britain is now out of step with EU law.
Digressing a little bit, I would like to observe that this is a story that we see over and over again. So humanity has a problem and it comes up with a solution. It writes down the solution on a piece of paper (a 1,000 page long piece of paper) and declares it a Law. The piece of paper is then treated as if it was passed on to us by our ancient ancestors who in turn received it from a long-forgotten deity. Everything that the Law declares is now holy and the original context, i.e. the problem at hand, is ignored and must no longer be spoken of. Although, words are nothing more but empty concepts made up by humans for humans, the Law brings them to life by pretending there’s a real substance behind them. Finally, the lawyers begin their mesmerizing dance around those words by taking turns at guessing what this real substance might be. The words are now declared worthy of offerings and it is perfectly OK to fine people and throw them into prisons in the name of the Law. Well done humanity!
But going back to the main story, the final nail in the Cookies Law coffin was added by the ICO’s announcement in January 2013 that they would stop asking users for permission to set cookies on their own website, thus settling for the ill-defined implied consent. This prompted the now famous infographics created by Silktide, a software development company and a staunch anti-Cookie Law campaigner. The ICO’s move has led to the universal acceptance that the Cookie Law is finally dead.
The Current State of Affairs
- make an audit of cookies that are used on your website, i.e. write them all down and publish the list somewhere on your website (ideally in a separate “cookies policy” page);
- explain to the user what a cookie is, how they work, etc.;
- obtain user consent (“implied” consent will do just fine);
Because of this fog surrounding definition of implied consent, it is currently impossible to get a credible estimate on the Cookie Law compliance rate. One study showed the compliance rate to be around 12% as of August 2012. However, the estimate was based on a sample of 231 top consumer sites, and hence tells little about the overall picture. Some of the biggest websites have ostensibly ignored the ICO’s recommendations. This is despite the fact the ICO has envisage the use of monetary penalty of up to £500,000. However, the catch is that the ICO is extremely unlikely to take serious action against anyone as it would need to prove deliberate wrongdoing.
So why was Cookie Law such a Bad Idea?
By far the biggest drawback of the entire Cookie Law initiative is that it never had clearly defined objectives. In fact, nobody can say that the Cookie Law failed because we cannot know what it aimed to do. The 30-page long Cookie Guide has no section titled “Why we are doing this”. The only issue that the ICO managed to identify is a low level of consumers’ understanding of the Internet and cookies. This particular observation came from internet cookies research commissioned by the Department for Culture, Media and Sport and carried out by PricewaterhouseCoopers LLP (PwC). Among other things, the study found that 37% of surveyed Internet users did not know how to manage cookies. However, if the sole goal was to raise awareness of tracking technologies then the Cookie Law constitutes an outrageously expensive solution. According to PwC’s estimates, the ‘Opt-in’ requirement would cost consumers between £190- £235 million per annum. And this is only the "time cost" incurred by Internet users, which comes from the time wasted on managing the use of internet cookies. It does not include direct costs faced by online publishers, displacement effects or efficiency losses, which mean that the total cost of the Cookie Law should most likely be reckoned in billions of pounds. Surely, putting up some billboards or buying Google’s ads educating people about cookies and safe ways to use the Web would be much cheaper. And let’s not forget that the Law comes into force in the aftermath of the worst financial crisis since the Great Depression. The last thing that local businesses need right now is yet another layer of costly bureaucracy.
Despite the striking ambiguity in purpose, we can suspect that the brilliant minds behind the Cookie Law also hoped it would solve some of the serious internet security problems such as abuse of personal information, financial loss, unsolicited emails, and other privacy violations. Critics agree that there is no way the Cookie Law could have any such impact. There is absolutely no mechanism in the proposed Law that helps identify malicious website owners or prevent them from exploiting internet users. In a similar vein you could order the entire population to wear T-shirts that say “I’m not a Burglar” in the hope that it would help law enforcement agencies to swiftly pick up thieves who heedlessly continue wearing their black & white striped clothes.
Alternative Solution – Enhanced Browser Settings
Despite the sarcastic tone of most articles addressing the Cookie Law topic, I believe that none of the commentators is trying to suggest that online security and user privacy are unimportant issues. As mentioned before, the whole absurdity of the Cookie Law is that the “problem” was never properly identified. But clearly user privacy is a growing concern due to the rise of social media and behavioural advertising. It is now common to hear stories such as that of Facebook showing gay-targeted ads to homosexual users before they even had a chance to let their families and friends know they were gay (see for example this BuzzFeed article).
So what would be the best way to improve privacy and make browsing safer? Most experts agree the solution should lie on the browser side. This means making web browsers provide users with relevant information about cookies and the capability to accept and reject cookies from websites through visible browser settings. As most of the requirements for regulatory compliance would focus on a small number of browser vendors, the solution would not impose those huge economy-wide costs characteristic of the Cookie Law. Enhanced browser settings would also improve the lives of internet users as they could set their cookies preferences in one go instead of wasting time figuring cookie controls on every single website they visit.
Interestingly, the ICO is not completely unaware of this alternative solution. It has simply decided to ignore it. Its Cookie Guide states that “at present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie”. So just to sum up the ICO’s position, it is perfectly OK to force millions of businesses to spend money on implementing the Cookie Law but working with a handful of browser vendors to improve privacy settings is out of the question.
The Cookie Law has exposed the appalling incompetence of bureaucrats in the digital era, both those in Brussels and at home. While it’s certainly not the first policy change that did absolutely no good while causing great harm to the economy and instilling general chaos, the utter absurdity of the entire legislative process reveals that the officials are nowhere near understanding the underlying internet privacy problems, let alone tackling them.
To people who are not on civil service payroll it should be blatantly clear that the complexity of the Web requires involvement of technical experts, not smooth talking government officials. Hence, the best place to generate feasible solutions and drive change would be the industry itself. The World Wide Web Consortium (W3C), our main international web standards organization, is currently developing a number of web privacy tools, such as the “Do Not Track (DNT)” protocol. The problem is that the W3C and other independent regulators have been awfully quite in the wake of the EU’s disturbing Privacy and Electronic Communications Directive. The industry must retake its lead in driving the digital agenda. The W3C should become a more vocal advocate of user privacy. Without its strong leadership the EU officials are sure to continue running amok.
Also, it probably wouldn't hurt if Sir Tim Berners-Lee called Jose Barosso and said “What the f*** have you done with my Internet!?”