The Great Transition

EU cookie law: stop whining and just get on with it

By Peter Kirwan
24 May 12
Image1

Related features

Comments 28

Growth occurs as a series of jolts: your first kiss, your first drink, your first pay packet. As the technology industry matures, it's no different. But just as in real life, some people aren't too good at dealing with change.

For the best part of two years now, parts of the online media industry have been complaining about EU Directive 2009/136/EC, which requires users to consent before web sites harvest data from them.

After the government's year-long pause on enforcement, in the wake of a highly successful industry-led campaign for common sense enforcement, implementation is now only days away. In the UK, the new rules kick in on Saturday 26th May.

Yet the moaning continues. Some still view the Directive as an infernal doomsday machine that will "kill online sales" and " kill the internet". Robert Bond of the law firm Speechly Bircham describes the effects as "far-reaching and incredibly onerous" for "all UK companies." Simon Davis of Privacy International argues that proper enforcement would "destroy the entire industry".

Those with something to gain have been spreading fear and loathing. KPMG, a firm that never knowingly underestimates the threats confronting its clients, recently announced that 95 percent of British businesses and public sector organisations are "not compliant" and may therefore face fines of up to £500,000.

Separately, QuBit, a London-based data consultancy, estimates ("worst case scenario") that the EU Directive could "cost" the British economy £10bn.

Let's not delve into the debatable maths underpinning QuBit's alarmism. Instead, let's remind ourselves of what Directive 2009/136/EC actually says:

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."

Consent? As any teenager will tell you, much depends on how you ask the question. If regulators ever expected web site owners to implement an opt-in regime like this, they don't now. Colin O'Malley, chief strategy officer at Evidon, the US-based data and privacy company, says he has spoken with regulators in six European nations, including some of the most conservative members of the dreaded Article 29 Working Party. All of them, he says, "have specifically cautioned against going as far as opt-in".

Here's where the wiggle room opens up. Much depends on language and design. In May 2011, for example, the Information Commission's Office started seeking consent from users of its own web site. When users clicked through for the first time, an overlay told users that the site "would like to store information on your computer".

The aggressive tone was compounded by apparent bad faith. ("One of the cookies we use. . . has already been set".) Next, the ICO's overlay held a metaphorical gun to its users' heads, telling them that "parts of the site will not work. . . [if] you delete and block all cookies".

Unsurprisingly, the result was a 90 percent decline in measured traffic. Ever since, opponents of the directive have argued that the end of the world is nigh.

It isn't. Instead, we're starting to see some clever and subtle implementations. If you click through to BT's customer site, for example, the first thing you'll see is a cleverly-worded overlay which suggests that "this website" is set to "allow all cookies". (The language isn't threatening; moreover, it encourages the notion that this has nothing to do with you, the user).

The overlay goes on to explain that this has been done in order to offer "the very best experience"(You're worth it, no?). It goes on to say that if you click the "no, thanks" button below, you will "consent" to "allow all cookies". (The "no thanks" button instinctively appeals to the vast majority of users who don't want to be sold something; it also encourages non-technical users accustomed to things going wrong to vote for continuity).

Expect to see many more corporates adopting a similar approach. This week, for example, FT.com took the plunge, with an overlay strategy that resembles BT's.

We need to wait and see how many users refuse cookies at BT and FT.com. My guess is that the number will be a lot less than 90 percent, and that it will decrease over time. As users encounter more sites with lookalike overlays, they'll become accustomed to taking path of least resistance. Along the way, they may start to understand cookies and privacy better. They may actually start to feel confident about privacy protection.

Still unconvinced? Then examine the guidance published by Whitehall's own IT bosses for anyone running a public sector web site. In total, the advice runs to four pages. It doesn't feel like a user manual for coping with the end of the world. Alternatively, take a look at the current guidelines from the Information Commissioners Office, which strongly hint that "formal action" will be reserved for anyone who "refuses to take steps to comply" or who has been "involved in a particularly privacy-intrusive use of cookies".

Of course, there are perfectly understandable reasons why parts of the online industry hate the directive with such a passion. The first involves the cost of what the ICO describes as "new sites and systems and upgrades". This, as one commenter pointed out, is an industry in which it's already difficult to make money. Well, yes: and at least some of this difficulty is attributable to hot VC money, which has unleashed a torrent of me-too revenue-lite ad tech start-ups. If regulation helps consolidation on its way, the results may not be entirely negative.

Awkwardly, the directive forces the online ad industry to think about users, as well as data. (As the Government Digital Service puts it: "It's not about cookies, it's about privacy.")

Like everyone else, online ad folk would much prefer to be handed a series of binary policy decisions ("you can do this, but not that"). Instead, they're been given some guidelines and asked to think seriously about privacy. In the long term, this should strengthen respect for privacy inside the industry. However, for those who prefer not to think, the challenge is problematic.

Ad tech people are an inward-looking tribe: they need to get off their backsides and educate the public about why metrics matter. According to the IAB's own research, 89 percent of British surfers say they want to be able to control their own privacy online. Yet only 37 percent understand what a cookie is. Squaring this circle will take years of education and innovation. The directive is pushing the industry in this direction. Again, this is no bad thing.

Without an effort of this kind, the online industry will face a backlash eventually. As Simon Davis of Privacy International argues, users can rapidly become "angry customers when they find out they have not been told the truth". On this point, he's right.

Anyone in the UK online industry who still dreams of Ayn Rand-style freedoms needs to wake up, and quickly. Online accounts for 28 percent of Britain's advertising market. That's more than the 26 percent that flows into the heavily-regulated broadcast sector, more than the 23 percent that flows into newspapers, currently the focus of scrutiny by Lord Leveson.

Leveson is regulation in action. For those in the spotlight, the experience is nasty, brutish and prolonged. Measures like the EU Directive will avert the need for an equivalent of a Leveson Inquiry for the online ad industry in three, five or 10 years' time. For this reason alone, the online ad industry should embrace Britain's new cookie law with open arms.

Story
Written by Peter Kirwan
Edited by Olivia Solon
Photo
Shutterstock
Tags
, , , , , ,

Comments

  1. And wired is doing what about complying with the cookie guidance?  

    Cookie Monster
    May 24th 2012

  2. This is a very poorly written article, i would have expected more insight from a wired article.... this law does nothing but annoy users and business owners alike.....  

    toelean
    May 24th 2012

    1. In reply to toelean

      toelean,We know it irks many businesses. But how do we know it annoys users? Is that all users? Or some users? Or a portion of users depending on specific implementations?I've not seen any evidence on user attitudes, but if you can point some out, I'd be interested.Peter  

      Peter Kirwan
      May 24th 2012

      1. In reply to Peter Kirwan

        If you used a cookie, you'd know :) PS the use of captcha on this site annoys me far more than cookies  

        ShaunnyBwoy
        May 25th 2012

      2. In reply to Peter Kirwan

        How about a (bad) real world analogy.Every time you go into a store you get stopped by a store employee who has to first inform you that, by entering the store you will be captured on the stores CCTV, and information from your purchase will be used by the store to better allocate refreshment of stock. That gets annoying real quick.I'd much rather see them implement something browser side. When you first start up the browser a dialogue explaining cookes pops up and you're given the options."block all cookies / allow all trusted cookies (what they have now) / let me choose on a case by case basis"Much simpler, and much quicker for most, far less annoying. You block all cookies? You no longer go shopping, you allow all cookies, go wherever you like, case by case you get asked at every store.  

        wowfood
        Oct 12th 2012

  3. "37 percent understand what a cookie is" of UK surfers. ha, ha... I work in the the tech industry and only about 5% of the folks understand what a cookie is, and that's being nice. The average surfer has no clue. Backing them into a "factual" definition, they'd likely get it all wrong.  

    Derick Ho
    May 24th 2012

  4. We just changed our website to not use any cookies, no big deal, but we understand a lot is tracked by cookies that I'm sure if users knew the extent to which they were logged/tracked and monitored they wouldn't agree to it. E.g. Facebook and Google and all the ad monitoring sites.

    This seems like a good law, there will be resistance, but those too lazy to make changes or those who complain about privacy will always moan.  

    Henry R
    May 25th 2012

  5. "Unsurprisingly, the result was a 90 percent decline in traffic." - are you sure? Or was it not a 90% drop in measured traffic? i.e. the visitors still came but their analytics tool no longer was able to track them. If it were a 90% drop in actual visitors, that would have huge implications - would it be possible to know what your source is please?  

    John Wedderburn
    May 25th 2012

    1. In reply to John Wedderburn

      The ICO experienced a 90% decrease in measurable traffic - rendering metrics reporting via GA almost meaningless. Pass the web-log please.  

      John Benfield
      May 25th 2012

  6. A couple of issues.

    Firstly, the law applies to cookies and similar technologies that store data on users' computers, but (apparently) not server logs, which can also log IP addresses and provide a crude way of tracking people and behaviour. Like a mediaeval ban on the printing press, the law targets a technology (cookies, regardless of what they do) rather than a real issue (online privacy). Harmless cookies should not be presumed guilty until proven innocent.

    Secondly, small companies with old websites might not be able to afford to make their sites compliant. Times are already hard. If you've got an old CMS, you might be stuck with something that requires cookies and that you just can't afford to upgrade. No amount of nice wording is going to get around the fact that anyone not wanting the cookies will have to leave the site.  

    John Hughes
    May 25th 2012

    1. In reply to John Hughes

      John1) You may well have a point here, in terms of the Directive's emphasis on "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user". Examined in detail, most laws and regulations look insufficiently specific, and I suspect this one is no different. But it's a long way from this to arguing that "harmless cookies" are being "presumed guilty". The ICO guidance makes some distinctions in this respect (eg: "strictly necessary" cookies etc).2) Point taken re: small businesses. But how many will actually be penalised by the ICO before solutions get integrated into low-cost packaged CMS/ISP/analytics services? None I would hope. If we do start to see these kind of rulings from the ICO, they will rightly face a lot of opposition. Everything the ICO is saying suggests that this will not happen. Of course, this might change, but in the absence of evidence to the contrary, I'm inclined to take them at their word. For now.Peter  

      Peter Kirwan
      May 25th 2012

  7. The FT's cookie popup is a facade and does not comply with any part of the new cookie law. It implies that it is asking you for permission to set cookies, but before obtaining your permission it has already set a dozen or so cookies and so have all the third-party advertisers on FT.com. If you don't accept and navigate away from the FT those advertisers can still track you and still know you visited the FT website.  

    Richard
    May 25th 2012

  8. I understand the motivation behind this law as I think the public should be more aware of the serious privacy issues on the Web and how to control them. However I think the practicalities of the guidelines and their technical focus on cookies is the wrong approach.

    First of all having to agree to a message each time I'll visit a new website or each time they change their tracking policy (and care about keeping the user informed they have done so) is very annoying to everyone. The main privacy threats come from sites capturing a lot of your personal data or sensitive information about you (e.g. Facebook) and also come from companies (e.g. Google) which track your every move on the web through third-party cookies and their very large range of sites and online services.

    For the first category, a little pop-up with a simplistic message asking you to accept cookies fails to address the complexity of what happens after you have accepted, i.e which data are they capturing, what are they doing with it, how long is it kept on their database, who are they sharing that information with, etc.

    The second category, which correspond to the last type of cookies (i.e. the advertising/targeting cookies), is by definition is cross-website problem. Someone who doesn't want to be tracked will typically say no on that kind of cookies on every site they visit which is very silly and counter-productive. Bearing in mind it will often be a all-or-nothing kind of answer, if you say no because of third party cookies you'll also be unable to log into the site or benefit from other functionalities. So this category should really be controlled in a central place for the users. Such things already exist in the form of browser plug-in blocking third party cookies but many people are not aware of this. Which leads me to think that instead this law has very good intentions but government efforts and budget would be better spent on better education of the public and more fine-grained regulation of what dominant internet companies are currently getting away with.

    One last thing. Your data is not stored in the cookies. The cookie only contains a unique identifier for each user. This is used to look up your personal record in their database. Which means that once cookies are enabled there is no way for anyone to really check what they are used for unless you request a copy of their database and software code.
     

    Bob Roberts
    May 25th 2012

  9. The issues I have with BT implementation and most solutions considered as reasonable is that these overlays are not particularly accessible and not in keeping with the spirit of the regulation specifically the timeout and giving consent if a user hasn't clicked an option within 20 seconds, a screen reader user may not have even read the message in 20 seconds let alone considered an option.

    In addition most of the overlay techniques require a cookie to remember user preferences whether consented or not or the overlay is displayed each time a user visits the site or a new page. Again this causes accessibility and general usability issues.

    There is no single solution I have seen that satisfies accessibility, usability and the directive and furthermore I believe there should be a standard solution possibly implemented via a browser to give a standard experience.

    Although there has been a campaign informing business about the directive the public awareness of what a cookie is has not been addressed, there should be public awareness and education on the matter, it shouldn't be down to businesses to have to pay or educate it's customers on what a cookie is.

    Personally I believe a proper solution doesn't currently exist. I won't be taking any drastic steps in incorporating a half baked solution and will either wait for a solution to become available or happy explain my reasons to the ICO if I'm pulled up on the matter.  

    Antony
    May 25th 2012

    1. In reply to Antony

      I totally didn't think of the fact that if you decline then EVERY time you open a new page it'd have to ask you again. Otherwise it can't possible tell who you are and so won't know that you don't want cookies. And I don't really think you could claim it to be "essential" for you site and thus not require permission (though you could argue it being completely stupid).  

      Sam
      Aug 15th 2012

  10. Interesting: I'll confess I wasn't aware of the 20 second time-out on the BT implementation. Like you, I can't see how that's in keeping with the spirit of the law. And I can (sort of) see the usability issue to which you refer, at least in the case of users who set their browsers to accept no cookies (perhaps even "strictly necessary" ones?).

    But. . . I think it is down to businesses to engage, explain and illuminate. If you're trading off the back of user data in one way or another, it's reasonable that you be required to explain to users how you harvest that data, what you do with it, etc.

    As for your preferred solution, you're not alone. The Directive is classic tech regulation: it challenges the industry to solve the problem it creates, to find a route around the obstacle. I'd be surprised if technical solutions don't emerge quite quickly.

    Peter  

    Peter Kirwan
    May 25th 2012

  11. Wouldn't it be easier for the law to require more visible cookie controls on a handful of browsers rather than a multitude of websites? I can see the argument for greater user control but this just doesn't seem like a sensible way of implementing it.  

    Dan Dissanayake
    May 25th 2012

  12. "Stop whining and just get on with it"?

    Yeah right ... coming from a T**t that probably sits on his arse and writes crap all day long like this.

    I am a one man band, self employed and working from home with 93 websites. For the past 3 f ing months I have been doing cookie audits, creating and editing scripts just to comply with this stupid law. Some of my sites I am simply going to have to bin because I can't get them to comply with the law and I can't afford to employ a programmer to go through these sites individually as some of them are so complex and hard coded that it would cost far too much. A few of my websites have 10,000 plus static pages built up over 10 years, imagine what that is like to become compliant?

    Already from the websites that do comply, I have witnessed a massive drop in revenue with this coming when things aren't exactly great economically and I have a family to support. I've now had it up to my eye balls with cookies, from 8.30am until the time I am fit for bed for 3 freckin' months doing this crap. If I ever come face to face with the people that created this law ... well, even you Peter can use your imagination.

    You are as about as open minded as the people in charge of our country, take your blinkers off mate, especially as you are not directly affected by this by a "journalist"!  

    Chris
    May 25th 2012

    1. In reply to Chris

      ChrisIf you're happy to talk more about your situation, I'm all ears. Can you drop me a line? Email me at fullrun [at] gmail.com. . . Peter  

      Peter Kirwan
      May 26th 2012

  13. What a load of fucking shite.
    Laws on the internet passed by eejits that wouldn't even know how to turn a computer on.  

    Daniel
    May 27th 2012

  14. Surely it would of made more sense to educate users in how to disable cookies rather than expect every website to pester users about them. I have looked at various methods being used by websites and after a while got fed up of being asked the same thing over and over again. What happened to the UK Government getting the browser developers round the table to see if an easy option could be added to the browser? I also think it is ironic that all these website are rushing to comply when the EU's own website doesn't comply with their own directive.  

    Robert
    May 28th 2012

  15. Come on guys, how is this even a debate?

    The old idiots in parliament never browse the internet but I do. Having a pop-up annoy me every time I erase cache, or disable browser history, change browser, change cache on firefox because of how often firefox gets corrupted due to the cache... enable private browsing... having a pop-up annoy me every time I visit a site, it's absolutely insane. You really have to stop acting like sheep and writing and reading garbage articles like this.

    But because the idiots in parliament are solipsists, the only way they'd understand it would be if every time they farted in their damn parliament seats, they would be given a pop-up warning them to cover their farts with a bottle. Or every time they turned a page on one of their useless paper media newspapers, they were given another pop-up.

    The article nearly gets it when it says its about politics. This law was clearly old media, big media, old and big business and government attacking online business because they can't tax it, it just seeps away from one country to another into bitcoin or fiscal paradises.

    Since when is old big media, old big business, or old big government even remotely interested in online privacy when they're promoting the UK equivalent of CISPA, ACTA, and PIPA, or when they've blocked the pirate bay. They just want to render online tracking useless so they can keep with their own nation-state surveillance.  

    Stupid stupid law
    May 29th 2012

Reply to a comment

Submit »

Add a comment


Submit »

More from Wired.co.uk

Most Popular

Pee-controlled gaming startup secures seed funding for expansion

A London startup has secured $700,000 (£442,000) in seed funding to launch pee-controlled videogames in public restrooms, including those in airports and hotels »

More News »

Magazine

Gibbering robo-hamster Furby can't touch the DragonBot

15 November 2012

This furry robot is powered entirely by an Android phone: snap yours in and it becomes an animated virtual face »

Magazine »

Reviews

Nokia Lumia 920 review

15 November 2012

Wired.co.uk reviews the Nokia Lumia 920 -- the first Nokia phone to run on the new Windows Phone 8, with a standout screen, dual-core processor and eight-megapixel camera »

More Reviews »