Skip to main content
The cover image for "Would you like a cookie?"

Would you like a cookie?

5 min read (1191 words)
Opinion

Sidebar

I'd like to talk about how cookie consent laws were damaging to consumer understanding of privacy. They demonised cookies - a simple way of storing information - when the real problem was the widespread, unregulated tracking and sharing of personal data. It focuses on a technology rather than a behaviour. I'd also like to talk about the GDPR and recent efforts to amend it.

I’d like to talk about how cookie consent laws were damaging to consumer understanding of privacy. They demonised cookies - a simple way of storing information - when the real problem was the widespread, unregulated tracking and sharing of personal data. It focuses on a technology rather than a behaviour. I’d also like to talk about the GDPR and recent efforts to amend it.

The right to privacy is an area I care about because I think that it is important for users to be able to understand and control how their data is used. I am not an expert in privacy or EU/UK law, so take this article with a grain of salt. I’m also interested to hear from those with more experience.

A cookie is something that websites can use to store information to access later. It’s often described as a small text file in your browser. There are many unobjectionable uses for cookies, including keeping the user logged in, storing preferences, and managing shopping carts. Cookies can also be used to store tracking identifiers and other information for targeted advertising and analytics.

Cookie consent is an EU law that requires website providers to inform and seek consent from users before storing a cookiefootnote 1. There is an exception for “strictly necessary” cookies - websites are allowed to use cookies without consent for purposes which are strictly necessary to fulfil a user request. For example, this may include login and shopping cart cookies. Whilst it called “cookie” consent, it actually applies to any method of storing data on the client device - including local storage and IndexedDB.

The problem with cookie consent is that it focuses on a specific technology to store data, rather than a behaviour by the service providers. If cookies were the problem, then browsers could block cookies by default. Browsers could add a permission for storing data on the device; there would be no need for all these banners.

Furthermore, focusing on cookies is confusing for end users. You end up with websites showing cute messages like “🍪 Hello, would you like a cookie?” rather than “Is it okay if we track everything you do on the Internet across many different websites?.” Cookies sound friendly and sweet, after all, who doesn’t want a cookie?

Another problem is that service providers often err on the side of being very strict on obtaining storage consent. For example, they may require you to opt in to cookies and tracking before you can change settings. Some don’t even remember your cookie consent if you opt out, which is explicitly allowed by cookie consent! This results in a detrimental user experience and privacy. In these cases, cookies are strictly necessary to fulfil an explicit user request.

The EU is currently amending the GDPR through the Digital Omnibus. Critics say this will weaken the GDPR after pressure from tech companies to make it easier to train Large Language Models (LLMs). However, I was interested to see that this amendment appears to simplify ePrivacy Directive, which introduced cookie consent, so I am wondering how much it changes in relation to the problems discussed above.

GDPR #

GDPR was a big improvement by focusing more on the purposes of data usage and affirmative consent, rather than the technology being used to store datafootnote 2.

The UK recently ruled to allow so-called “consent or pay”footnote 3. The only stipulation is the price needs to be sufficiently low - Meta changed from ~£8 per month to £2.99/mfootnote 4footnote 5. My first thought is that this feels abusive. Is it truly consent if the user needs to pay to object?

Non-personalised advertising is significantly less profitable for the publisher. In the EU, Meta solves this by showing non-skippable adverts for those that opt out of personalised advertisingfootnote 6. I find this to be a much fairer solution. Ultimately, it’s not the advertising that privacy advocates object to. It’s the tracking and personalisation.

I think that advertising provides perverse incentives for service providers. It is often user-hostile, resulting in software that is slower and has lower user satisfaction. Advertising also results in a lot of corporate censorship and sanitisation, you end up with speak like “unalive” and “g@y” to get around shadow bans. With this in mind, is it consistent for me to be against consent or pay? Is this the start of a post-advertising online industry?! Unlikely.

I do think that GDPR banners are unnecessarily confusing at times, with a lot of technical/legalese-style language behind each option. There is also a certain amount of fatigue when every website has a privacy banner. I suspect a vast majority of users will just accept all or reject all, and won’t bother configuring further.

“Do Not Track” was a browser feature that allowed users to tell websites that they do not wish to be tracked. Due to a lack of regulation, this flag was not respected by most service providers. It has been deprecated by the standards body and removed in Firefoxfootnote 7. Adding a similar feature for GDPR banners, which is mandated, might solve the fatigue problem.

Global Privacy Control is a modern successor to Do Not Trackfootnote 8. It seems to work in much the same way, but has a legal basis through California’s Consumer Privacy Act. This is supported by Firefox but not by Chrome. It’s also unclear the extent to which this is respected by service providers outside of California.

As part of the Digital Omnibus, the European Commission aims to solve the “consent fatigue and proliferation of cookies banners.”footnote 9 The changes will require controllers to ensure their consent management can be used through automated and machine-readable means, and for web browsers to provide the technical means for such automated indications of data subjects’ choicesfootnote 10. I’m hoping this will provide the legal basis for Global Privacy Control inside the EU. I’d like to see the ability to automate consent more granularly. It remains to be seen how these measures will be implemented, but I am feeling positive about this aspect.

Conclusion #

This is not my area of expertise, but I hope you found this interesting nonetheless. I have linked to my sources if you’d like to read more. If I’ve made any mistakes or you have related thoughts on this topic, please comment to let me know.

Cover image: hedgehog biscuits I made during lockdown in 2020.

  1. Cookies and similar technologies - ICO ↩︎

  2. Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu ↩︎

  3. Consent or pay - ICO ↩︎

  4. Meta brings optional ad-free ‘pay or consent’ model to the UK - Politico ↩︎

  5. ICO statement on changes to Meta advertising model - ICO ↩︎

  6. Why is Meta offering cheaper and simpler “pay or consent” in the UK? - EUTechReg ↩︎

  7. Back where it started: “Do Not Track” removed from Firefox after 13 years - Arstechnica ↩︎

  8. Now you can enforce your privacy rights with a single browser tick - Arstechnica ↩︎

  9. Digital Omnibus - European Commission ↩︎

  10. Digital Omnibus reshapes EU cookie rules but leaves banner fatigue largely intact - Osbourne Clark ↩︎

rubenwardy's profile picture, the letter R

Andrew Ward

Hi, I'm Andrew Ward. I'm a software developer, an open source maintainer, and a graduate from the University of Bristol. I’m a core developer for Luanti, an open source voxel game engine.

Comments

Reply by email Reply by contacting me

Leave comment

Shown publicly next to your comment. Leave blank to show as "Anonymous".
Optional, to notify you if rubenwardy replies. Not shown publicly.
Max 1800 characters. You may use plain text, HTML, or Markdown.