Home Blog About
Twenty of Time
Dead at conception: the European Cookie Law

Dead at conception: the European Cookie Law

A retrospective of an unenforceable piece of legislation

The European Cookie Law was intended to protect internet users from unbridled tracking. It aimed to make internet users more privacy-aware and to make tracking mechanisms explicit. When the law was set in place, the internet braced itself for a European Union ready to flex its muscles. But nothing happened. How come?

+ Contents

This is a post on privacy, one of the major topics on Twenty of Time this year. During the year we will explore the question of who owns your data, ways to protect yourself from digital surveillance and the European Union’s new privacy law: the General Data Protection Regulation. See also the previous article, a review of 2017 from a privacy perspective.

The EU ePrivacy Directive, better known as the Cookie Law, got its nickname because one of its three main provisions was on cookies. More specifically, the directive limits the use of storing data on a device, for example in the form of cookies, to what’s strictly required to make the service work as intended. All other data may only be stored after the user consents. For this article, we will focus on this part of the ePrivacy Directive.

There must be some readers who don’t exactly know what cookies are. They are small text files a website can place on your computer. For example, it can hold the website name and a generated key for you as the user, so you can be identified. That way you stay logged in when you come back for a next visit. They can also be used to track you throughout the website and identify what pages you visit. They may even track your journey through other websites that use the same cookies to make a profile of your online behaviour. You can do a whole lot with storing a little bit of data.

Unfortunately not as tasty

Unfortunately not as tasty

That last example shows the intention of the law. User profiling and capitalising on that data is one of the most privacy-unfriendly manners to make money on the web. On the other hand, it ensures free web content. Many websites rely on those profilers to bring you advertisements. Unfortunately, the Cookie Law failed to address the data collection hunger by addressing the wrong item. As one website so poetically states, the law was “drafted by a team of technically illiterate octogenarians who couldn't find a button on a mouse.”

While the directive originated from a noble cause, its execution and implementation failed miserably. The general public didn’t care enough for cookies, or their online privacy for that matter. There was a lack of knowledge on the subject and enforcement proved impossible. Couple that with the fact that cookies are unavoidable nowadays and you have a law that was doomed to fail.

The unavoidability of cookies

Cookies are omnipresent in the online world. Beyond tracking, they can also be used to store shopping carts and similar functions. Embedding a YouTube video on your website means that you load their cookies. Having a Twitter stream or social sharing buttons gives you cookies. Tracking visitor numbers and behaviour on your website brings with it even more cookies. They’re everywhere.

The cookie law prohibits the placement of cookies (or data) for anything other than functional use, but it’s unclear what constitutes functional use in the first place. Third party cookies may sneak in from unexpected sources, be it images or embedded videos, and you’re required to ask consent for cookies you may not even know you’re placing. Yet, I would argue that these fall under functional use. Without them, parts of a website may be rendered meaningless, as they may exist specifically in context with these third-party items. Some of these fall under exemptions, but functional use is never properly defined.

Can't make the track more clear

Can't make the track more clear

So, what about the unbridled tracking the Cookie Law aimed to address? A website can be a costly expense. These websites are most often financed through advertising. There are numerous online advertising platforms, each coming with their own set of cookies. If they allow you to not use these cookies and advertising services, they lose a lot of their income. It may even mean they cease to exist. Tracking is so embedded in the way a lot of websites are financed that it may be impossible to get rid of it completely.

It speaks for itself that many websites opted for a solution that made users give implied consent, meaning that they place a cookie bar you can click away or ignore. Let’s argue the other way: imagine visiting CNN.com and being asked whether it’s okay if they track you. But it’s not just them that’s tracking you, it’s the advertising services, social media, and so on. They want to give the user choice in how their data is being used, so they provide a lot of checkboxes. One for each tracker. You get one for Amazon Ads, Bing, Google, Facebook, Casale Media, Twitter, BounceExchange and more. CNN.com has 38 tracking cookies (checked 16 January 2018). Having a checkbox for each of these simply isn’t a realistic scenario.

A 2017 study automatically scanned 35.000 websites on whether they placed tracking cookies before requiring any user action. Only 35% of websites didn’t do so, meaning that 65% of the surveyed websites were failing criteria of explicit consent. This is down from estimates of 90% made when the directive was announced, so there’s some positive change. Among these, I found several websites of the European Union that didn’t comply either: the European Central Bank (4 trackers), the Council of the European Union (7 trackers) and the apparently different website for the European Council (12 trackers).

"You could go crazy thinking of how unprivate our lives really are - ... the porous state of our Internet selves, the trail of electronic crumbs we leave every day." Susan Orlean

Cookies are just everywhere. Accepting legislation to block them is like tracking everyone on the internet because some people may have malicious intent (also known as pulling an NSA). It’s a disproportionate measure that doesn’t have the intended effects and doesn’t address the root cause.

A nonsensical law

Besides cookies being everywhere, the new directive had some problems regarding its execution. It was economically ignorant, technically illiterate and people didn’t know or care about cookies. On top of that, it was ill-defined. These are some hefty problems for a law aimed at protecting users from data greed.

The law was economically ignorant in that it didn’t account for the way the internet is financed. Google’s advertising revenue was $79.38 billion in 2016. As I stated before, a lot of websites are dependent on that advertising revenue. To deliver these advertisements optimally, Google tracks users as much as it can. On top of that, Google offers a free search engine, Gmail, Google Calendar and a whole host of other free services to collect data to better sell their advertisements. The same goes for Facebook, Twitter and so on. Complying with the cookie law wouldn’t just mean losing income for your website, it also meant that their whole business model would be ruined. While tracking should be better regulated, totally removing it doesn’t seem the right way to go.

What do you mean, no more cookies?

What do you mean, no more cookies?

All of that aside, it doesn’t matter. Tracking nowadays can be done in many ways. You can block tracking ads and cookies, but there are more sophisticated techniques that don’t rely on storing any data. Browser fingerprinting is one of these, which uses data gathered from your browser to identify you quite reliably. You can test your own browser and see for yourself.

On top of that, JavaScript can also be used for tracking. The most famous example of this is the Facebook like button, which comes with a script that communicates with Facebook’s services. The best part of this is that both of these methods don’t require any data to be stored on the user device, thereby bypassing the Cookie Law altogether. This may be the best example yet of a technically illiterate law that could already be circumvented at its creation.

Then again, if the public wants it we should make it happen, right? A 2011 PWC survey found that only 13% of internet users fully understood cookies, a survey in which they report an overrepresentation of internet savvy users. The UK Information Commissioner’s Office (ICO), responsible for enforcing the Cookie Law, received only 195 concerns about cookies from April 2016 to March 2017. This number pales in comparison to the 167.018 concerns the ICO received about nuisance calls, text messages and emails. The general public simply doesn’t know and doesn’t care about the issue. Cookies are too non-intrusive and data collection is too much a behind-the-scenes operation to take notice of.

The final problem in breaking apart this law is that it was ill-defined. Without consent, I can place third-party social sharing cookies, but not analytical cookies. My social sharing service for Twenty of Time is AddThis, which gives me analytics as well. What do I do with that cookie? Is its primary purpose placing social sharing buttons or is it analytics? And where do you draw the line? What is the differentiating factor?

The directive also states, in its primary text, that functional cookies are allowed. These are the cookies essential to the user experience. Of course, they mean shopping cart and session cookies with it, but what if I make my cookies multifunctional? And how do you define something as a functional cookie? The Cookie Law raises more questions than it answers.

Is this a functional cookie?

Is this a functional cookie?

Taking all that into account, I can state that the Cookie Law is poorly defined and unenforceable. It could already be circumvented at the time of publication, it didn’t take the financing of the internet into account and the public knew nor cared. It raised more questions than it answered and didn’t provide the clarity many had hoped for. It was stillborn.

Is there any hope?

With the General Data Protection Regulation (GDPR) on the horizon – it becomes active on the 25th of May 2018 – there may be something to look forward to. The GDPR doesn’t cover all topics from the Cookie Law, but it makes items such as consent more explicit. It’s a step in the right direction, but whether it proves enforceable is still to be seen.

The previous attempt by the European Union to regulate data collection was clearly a failure. With the right intentions, they managed to create a horrible law that addressed the wrong issues and even failed at doing that. Now that it’s 2017 and we’re all aware of the fact that cookies exist, it may be time to force data collectors into some more transparency on their data collection. Get it out in the open, be honest about what you do. That may be the only way to get a more privacy-aware society.