The European Cookie Law was intended to protect internet users from unbridled tracking. Its aim was to make users more privacy-aware and to make tracking mechanisms explicit. When the law was set in place, the internet braced itself for a European Union ready to flex its muscles. But nothing happened. How come?
The EU ePrivacy Directive, better known as the Cookie Law, got its nickname because one of its three main provisions was on cookies. More specifically, the directive limits the use of storing data on a device, for example in the form of cookies, to what's strictly required to make the service work as intended. All other data may only be stored after the user opts in. For this article, we will focus on this part of the ePrivacy Directive.
There must be some readers who don't exactly know what cookies are. They are small text files a website can place on your computer. For example, it can hold the website name and a generated key for you as the user, so you can be identified. That way you stay logged in when you come back for a next visit. They can also be used to track you throughout the website and identify what pages you visit. They may even track your journey through other websites that use the same cookies to make a profile of your online behaviour. You can do a whole lot with storing a little bit of data.
Does that last example scare you? It should. User profiling and capitalising on that data is one of the most privacy-unfriendly manners to make money on the web. On the other hand, it ensures free web content. Many websites rely on those profilers to bring you advertisements. Unfortunately, the Cookie Law failed to address the data collection hunger by addressing the wrong cause. As one website so poetically states, the law was *"drafted by a team of technically illiterate octogenarians who couldn't find a button on a mouse."*
While the directive originated from a noble cause, its execution and implementation failed miserably. The general public didn't care enough for cookies, or their online privacy for that matter. There was a lack of knowledge on the subject and enforcement of the law was impossible. Couple that with the fact that cookies are unavoidable nowadays and you have a law that was doomed to fail.
The unavoidability of cookies
Cookies are omnipresent in the online world. Their uses range from storing shopping cart items to advanced user tracking. Embedding a YouTube video on your website means that you load their cookies. Having a Twitter stream or social sharing buttons gives you cookies. Tracking visitor numbers and behaviour on your website brings with it even more cookies. They're everywhere.
The cookie law prohibits the placement of cookies for anything other than functional use, but it's unclear what constitutes functional use in the first place. Third party cookies may sneak in from unexpected sources, be it images or embedded videos, and you're required to ask consent for cookies you may not even know you're placing. Yet, I would argue that these fall under functional use. Without them, parts of a website may be rendered meaningless, as they may exist specifically in context with these third-party items. Some of these fall under exemptions, but functional use is never properly defined.
So, what about the unbridled tracking the Cookie Law aimed to address? Having a popular website can be a costly expense, with millions of users sucking up bandwidth. These websites have to be financed, most often through advertising. There are numerous online advertising platforms, each coming with their own set of cookies. If they allow you to not use these cookies and advertising services, they lose a lot of their income. It may even mean they cease to exist. Tracking is so embedded in the way a lot of websites are financed that it may be impossible to get rid of it completely.
It speaks for itself that many websites opted for a solution that made users give implied consent, meaning that they place a cookie bar you can click away or ignore. Let's argue the other way: imagine visiting CNN.com and being asked whether it's okay if they track you. But it's not just them that's tracking you, it's the services they get their advertisements from, social media, and so on. They want to give the user choice in how their data is being used, so they provide a lot of checkboxes for trackers. You get one from Amazon Ads, Bing, Google, Facebook, Casale Media, Twitter, BounceExchange and more. These all appear on CNN.com, which gave me 38 tracking cookies. This simply isn't a realistic scenario.
You could go crazy thinking of how unprivate our lives really are - ... the porous state of our Internet selves, the trail of electronic crumbs we leave every day.
— Susan Orlean
A 2017 study automatically scanned 35.000 websites on whether they placed tracking cookies before requiring any user action. Only 35% of websites didn't do so, meaning that 65% of the surveyed websites were failing criteria of implied consent. This is down from estimates of 90% made when the directive was announced, so there's some positive change. Among these, I found several websites of the European Union that didn't comply either: the European Central Bank (4 trackers), the Council of the European Union (7 trackers) and the apparently different website for the European Council (12 trackers).
Cookies are just everywhere. Accepting legislation to block them is like tracking everyone on the internet because they may have malicious intent (also known as pulling an NSA). It's a disproportionate measure that doesn't have the intended effects and doesn't address the root cause.
A nonsensical law
Besides cookies being everywhere, the new directive had some problems regarding its execution. It was economically ignorant, technically illiterate and people didn't know or care about cookies. On top of that, it was ill-defined. These are some hefty problems for a law aimed at protecting users from data greed.
The law was economically ignorant in that it didn't account for the way the internet is financed. Google's advertising revenue was $79.38 billion in 2016. As I stated before, a lot of websites are dependent on that advertising revenue. To deliver these advertisements optimally, Google tracks users as much as it can. On top of that, Google offers a free search engine, Gmail, Google Calendar and a whole host of other free services that they use to collect data to better sell their advertisements. The same goes for Facebook, Twitter and so on. Complying with the cookie law wouldn't just mean losing income for your website, it also meant that their whole business model would be ruined. While tracking should be better regulated, totally removing it doesn't seem the right way to go.
All of that aside, it doesn't matter. Tracking nowadays can be done in many ways. You can block tracking ads and cookies, but there's new and more sophisticated techniques that don't rely on storing cookies. Browser fingerprinting is one of these, which uses data gathered from your browser to identify you. You can test your own browser and see for yourself. On top of that, JavaScript is also a possibility for tracking. The most famous example of this is the Facebook like button, which comes with a script that communicates with Facebook's services. The best part of this is that these don't require any data to be stored on the user device, thereby bypassing the Cookie Law altogether. This is maybe the best example yet of a technically illiterate law that could already be circumvented at its creation.
Then again, if the public wants it we should make it happen, right? A 2011 PWC survey found that only 13% of internet users fully understood cookies, a survey in which they report an overrepresentation of internet savvy users. The UK Information Commissioner's Office (ICO), responsible for enforcing the Cookie Law, received only 195 concerns about cookies from April 2016 to March 2017. This number pales in comparison to the 167.018 concerns the ICO received about nuisance calls, text messages and emails. The general public simply doesn't know and doesn't care. Cookies are too non-intrusive and data collection is too much a behind-the-scenes operation to take notice of.
The final problem in breaking apart this law is that it was ill-defined. Without consent, I can place third-party social sharing cookies, but not analytical cookies. I used to have AddThis to add social sharing buttons to this site, which provided me with analytics as well. What do I do with that cookie? Is its primary purpose placing social sharing buttons or is it analytics? And where do you draw the line? What is the differentiating factor?
The directive also states, in its primary text, that functional cookies are allowed. These are the cookies essential to the user experience. Of course, they mean shopping cart and session cookies with it, but what if I make my cookies multifunctional? And how do you define something as a functional cookie? The Cookie Law raises more questions than it answers.
Taking all that into account, I can state that the Cookie Law is poorly defined and unenforceable. It could already be circumvented at the time of publication, it didn't take the financing of the internet into account and the public knew nor cared. It raised more questions than it answered and didn't provide the clarity many had hoped for. It was stillborn.
Is there any hope?
With the General Data Protection Regulation (GDPR) on the horizon -- it becomes active on the 25th of May 2018 -- there may be something to look forward to. The GDPR doesn't cover all topics from the Cookie Law, but it makes items such as consent more explicit. It's a step in the right direction, but whether it proves enforceable is yet to be seen.
Still, the previous attempt by the European Union to regulate data collection was a clear-cut failure. With the right intentions, they managed to create a horrible law that tackled a non-issue. Now that it's 2017 and we're all aware of the fact that cookies exist, it may be time to force companies into some more transparency on their data collection. Maybe the GDPR will help.