The Great Transition

EU cookie law: stop whining and just get on with it

By Peter Kirwan
24 May 12
Image1

Related features

Comments 29

Growth occurs as a series of jolts: your first kiss, your first drink, your first pay packet. As the technology industry matures, it's no different. But just as in real life, some people aren't too good at dealing with change.

For the best part of two years now, parts of the online media industry have been complaining about EU Directive 2009/136/EC, which requires users to consent before web sites harvest data from them.

After the government's year-long pause on enforcement, in the wake of a highly successful industry-led campaign for common sense enforcement, implementation is now only days away. In the UK, the new rules kick in on Saturday 26th May.

Yet the moaning continues. Some still view the Directive as an infernal doomsday machine that will "kill online sales" and " kill the internet". Robert Bond of the law firm Speechly Bircham describes the effects as "far-reaching and incredibly onerous" for "all UK companies." Simon Davis of Privacy International argues that proper enforcement would "destroy the entire industry".

Those with something to gain have been spreading fear and loathing. KPMG, a firm that never knowingly underestimates the threats confronting its clients, recently announced that 95 percent of British businesses and public sector organisations are "not compliant" and may therefore face fines of up to £500,000.

Separately, QuBit, a London-based data consultancy, estimates ("worst case scenario") that the EU Directive could "cost" the British economy £10bn.

Let's not delve into the debatable maths underpinning QuBit's alarmism. Instead, let's remind ourselves of what Directive 2009/136/EC actually says:

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."

Consent? As any teenager will tell you, much depends on how you ask the question. If regulators ever expected web site owners to implement an opt-in regime like this, they don't now. Colin O'Malley, chief strategy officer at Evidon, the US-based data and privacy company, says he has spoken with regulators in six European nations, including some of the most conservative members of the dreaded Article 29 Working Party. All of them, he says, "have specifically cautioned against going as far as opt-in".

Here's where the wiggle room opens up. Much depends on language and design. In May 2011, for example, the Information Commission's Office started seeking consent from users of its own web site. When users clicked through for the first time, an overlay told users that the site "would like to store information on your computer".

The aggressive tone was compounded by apparent bad faith. ("One of the cookies we use. . . has already been set".) Next, the ICO's overlay held a metaphorical gun to its users' heads, telling them that "parts of the site will not work. . . [if] you delete and block all cookies".

Unsurprisingly, the result was a 90 percent decline in measured traffic. Ever since, opponents of the directive have argued that the end of the world is nigh.

It isn't. Instead, we're starting to see some clever and subtle implementations. If you click through to BT's customer site, for example, the first thing you'll see is a cleverly-worded overlay which suggests that "this website" is set to "allow all cookies". (The language isn't threatening; moreover, it encourages the notion that this has nothing to do with you, the user).

The overlay goes on to explain that this has been done in order to offer "the very best experience"(You're worth it, no?). It goes on to say that if you click the "no, thanks" button below, you will "consent" to "allow all cookies". (The "no thanks" button instinctively appeals to the vast majority of users who don't want to be sold something; it also encourages non-technical users accustomed to things going wrong to vote for continuity).

Expect to see many more corporates adopting a similar approach. This week, for example, FT.com took the plunge, with an overlay strategy that resembles BT's.

We need to wait and see how many users refuse cookies at BT and FT.com. My guess is that the number will be a lot less than 90 percent, and that it will decrease over time. As users encounter more sites with lookalike overlays, they'll become accustomed to taking path of least resistance. Along the way, they may start to understand cookies and privacy better. They may actually start to feel confident about privacy protection.

Still unconvinced? Then examine the guidance published by Whitehall's own IT bosses for anyone running a public sector web site. In total, the advice runs to four pages. It doesn't feel like a user manual for coping with the end of the world. Alternatively, take a look at the current guidelines from the Information Commissioners Office, which strongly hint that "formal action" will be reserved for anyone who "refuses to take steps to comply" or who has been "involved in a particularly privacy-intrusive use of cookies".

Of course, there are perfectly understandable reasons why parts of the online industry hate the directive with such a passion. The first involves the cost of what the ICO describes as "new sites and systems and upgrades". This, as one commenter pointed out, is an industry in which it's already difficult to make money. Well, yes: and at least some of this difficulty is attributable to hot VC money, which has unleashed a torrent of me-too revenue-lite ad tech start-ups. If regulation helps consolidation on its way, the results may not be entirely negative.

Awkwardly, the directive forces the online ad industry to think about users, as well as data. (As the Government Digital Service puts it: "It's not about cookies, it's about privacy.")

Like everyone else, online ad folk would much prefer to be handed a series of binary policy decisions ("you can do this, but not that"). Instead, they're been given some guidelines and asked to think seriously about privacy. In the long term, this should strengthen respect for privacy inside the industry. However, for those who prefer not to think, the challenge is problematic.

Ad tech people are an inward-looking tribe: they need to get off their backsides and educate the public about why metrics matter. According to the IAB's own research, 89 percent of British surfers say they want to be able to control their own privacy online. Yet only 37 percent understand what a cookie is. Squaring this circle will take years of education and innovation. The directive is pushing the industry in this direction. Again, this is no bad thing.

Without an effort of this kind, the online industry will face a backlash eventually. As Simon Davis of Privacy International argues, users can rapidly become "angry customers when they find out they have not been told the truth". On this point, he's right.

Anyone in the UK online industry who still dreams of Ayn Rand-style freedoms needs to wake up, and quickly. Online accounts for 28 percent of Britain's advertising market. That's more than the 26 percent that flows into the heavily-regulated broadcast sector, more than the 23 percent that flows into newspapers, currently the focus of scrutiny by Lord Leveson.

Leveson is regulation in action. For those in the spotlight, the experience is nasty, brutish and prolonged. Measures like the EU Directive will avert the need for an equivalent of a Leveson Inquiry for the online ad industry in three, five or 10 years' time. For this reason alone, the online ad industry should embrace Britain's new cookie law with open arms.

Story
Written by Peter Kirwan
Edited by Olivia Solon
Photo
Shutterstock
Tags
, , , , , ,

Comments

  1. And on trundles the corporate machine, simply changing from cookies to the next tracking technology like digital fingerprints... What's in a name?
    You can't turn off these technologies, at least before, if you knew what you where doing, you could avoid cookie tracking, well done government you protect us well, welcome, covert tracking systems!
    My number is 393945A and I have been owned by the corporation my whole life.  

    John
    May 29th 2012

  2. As a professional, this is a pain in the ass. As a user, fuck I've been waiting for this for ages.  

    PLA
    Jun 6th 2012

  3. "HARVEST DATA" is a bit of strong editorial to push your view point. Google analytics is hardly gathering oppressive personal data for nefarious use! Come on be a little more balanced. The law in the most part is a pointless and most people don't care!  

    Ben
    Jun 12th 2012

  4. I visited the ICO website and accepted their cookies, but then I got up to go to the toilet and my teenage daughter started browsing the ICO website. They pushed their cookies on to the computer without her permission. This is clearly in breach of the law. All European and UK websites must display a pop-up and get consent with every single page load as the user may not be the same person who consented. Can we get an official statement on this issue?  

    Chris
    Jun 21st 2012

  5. "We know it irks many businesses. But how do we know it annoys users? Is that all users? Or some users?"
    Well we can use common sense and assume that it has no benefit for the users and only the down side of annoying messages then it's going to annoy users. I've been trying to find out what the EU are trying to achieve with this move.
    It seems to be a follow up to the "technical dick-swinging" move to show Microsoft who's boss by removing Internet Explorer from the Windows operating system that lead to even more variants of Windows (N) etc. for us end users to deal with.
    One particular annoyance is my local library when I wanted to know what time they were open (I'm paraphrasing what the website actually said for amusement purposes)
    "This web site wants to use cookies is that OK"
    "Erm, out of interest… NO"
    "Oh, OK that's fine…. I'm sorry but I'll have to annoy you again next time because you won't let me use a cookie to remember that I'm not allowed to use cookies".
    Also, why should we stop complaining and tolerate this nonsense? What a ridiculous article.  

    David Homer
    Jul 4th 2012

  6. What a braindead law. You know what would be useful? If the dozen of BROWSERS were required to prompt the user. Instead of the millions upon millions of websites.

    And then, preferably, only if a third-party domain is trying to set the cookie.  

    Roman
    Oct 10th 2012

Reply to a comment

Submit »

Add a comment


Submit »

More from Wired.co.uk

Most Popular

First direct picture of DNA double helix captured

Nanostructural researchers have succeeded in creating the first ever direct images of the DNA double helix »

More News »

Magazine

How to upgrade the quality of your MP3s on iTunes

08 March 2013

Remember downloading those 128kbps MP3s from Napster back in the day? You can now upgrade them »

Magazine »

Reviews

Asus VivoTab Smart review

08 March 2013

Wired.co.uk reviews the latest entry from Asus into the Windows tablet world, the VivoTab Smart »

More Reviews »