Why the cookie law is a bad idea

On May 26th, a new cookie law was introduced in the UK ^[1], which renders most UK websites illegal and might ultimately transform into an EU law. In short, the new law only allows websites to set cookies on a user's computer when the user explicitly consents. It was changed last minute to allow "implied consent" ^[2]. I am briefly going into some aspects of the cookie law and explain why it is a bad idea and does a bad job at protecting user's privacy. Many more reasons against the law can be found in a resource such as the "EU Cookie Law eBook" ^[3], which outlines problems with the cookie law.

How it looks like in practice

Notice the bar on top which "informs" the user about cookies and allows them to "continue":

It confuses internet users

The average internet user doesn't know about cookies and will be confused by the pop up. Let's see how the guidance ^[4] suggests to inform users about cookies:

In "Providing information about cookies", it says: "Long tables or detailed lists of all the cookies [...] may be the type of information that some users will want to consider." And "For most users it may be helpful to provide a broader explanation of the way cookies operate [...] on your website."

As a user of the site, why should I care about what cookies are technically required? Even if I understand the consequences of cookies, I am not going to read your cookie policy and I'm not interested in it. I don't have time to read about cookies on every single website.

Their sample warning dialog ("Website with header bar") reads as follows: "We use cookies to make your experience of our website better. To comply with the new e-Privacy Directive, we need to ask for your consent to set these cookies. [ I agree ] [ No thanks ] Find out more."

Not only is this pop up or status bar annoying, it also doesn't make any sense. For internet users, the text translates into: "Would you like a better experience of the website?" Yes, of course I want a better experience – why are you asking me this? There is no mention of the "downsides" of cookies.

The law is not effective

If the goal of this law is to protect the user's privacy or inform the user about cookies, then this law completely missed the mark.

• First of all, this law only applies to websites that implemented the policy. Why should I not be protected when I visit websites in foreign countries or websites that don't comply with the regulation?
• Secondly, even if the website claims it complains with regulations, I can't trust it. The website owner might have forgotten to disable services such as Google Analytics, and I still get the cookie.
• Also, the law allows setting cookies when the user consents to a specific action. For instance, when I log in to a website or add an item to the shopping cart, a cookie may be set. How long is this cookie valid? Should I see items in my cart, when I visit the website in a week? Even if the website owner describes it, the law doesn't give me control over this setting.
• There is no point in blocking session cookies, i.e. cookies that expire when you quit the browser. A website (even a third party) can most likely track you anyway. Your browser leaves a signature, consisting of your IP address, the user agent (which contains information about your operating system and the browser you're using) and more. This is already enough information to provide analytics. It just makes things harder for website owners, but not impossible. Other information about your computer might also be sent to the server, such as screen resolution or HTTP ETags ^[5] headers. This does not apply as much to persistent cookies, as your IP address is likely to change over time.

The actual concerns

I want to have control over cookie settings in my browser. Instead of a bar popping up every time I visit a website, I want to set my preference once. In my opinion there are two major concerns with cookies:

• Persistent cookies: Websites may set cookies that stay when I close the browser window and are likely to have an expiration date in a few years. I should have control over these cookie and be able to "downgrade" these cookies to session cookies, or limit their expiration date (e.g. expire in not more than one hour) if I'm concerned about tracking.
• Third party cookies: Third parties (e.g. advertisers) may place cookies on my computer. Some browser already block them by default, however you should note that third parties can track you anyway. For instance, by inserting a Facebook "Like" button, even if Facebook can't place a cookie on my computer, they already receive information about my browser and may be able to correlate this with my Facebook login.

Finding for a solution: A look at Chrome and Safari.

There needs to be an easy way to change cookie preferences in the browser (and other data that's stored on the visitors computer), and a sensible default choice.

Let's look at Chrome – one of the most popular browsers. Where are the cookie preferences?

Chrome → Preferences → scroll all the way down → "Show advanced settings..." → Privacy → "Content settings..." → Cookies

Easy enough? No one is going to look at these preferences.

Cookie preferences should be easy to manage. There should be a detailed explanation about cookies and a few easy choices that the user can select.

This is how the Chrome cookie dialog looks like:

Here's Safari's:

None of these dialogs explains what cookies are.

Chrome's dialog provides too many options for the average user and is confusing. For instance, when I allow data to be set for the current session, why is there a need for another option that clears cookies when I quit my browser? Safari's dialog doesn't give me control about limiting the expiration of persistent cookies.

How it actually should look like

The by default available choices should be as simple as:

• Allow websites to store data on my computer
• Only allow websites to store data on my computer for the current session

Everything else belongs to advanced settings. I don't see much point in explicitly limiting session cookies or third party cookies. The settings should apply to all types of data that are stored on the visitor's computer, including Flash cookies or local storage.

On top of that, how about a nice JavaScript API that allows websites to easily query the visitor's cookie setting, and display a standardized browser bar to permanently whitelist the site (similar to location services)? The use case for this would hopefully just be websites that actually require persistent data storage, such as a note-taking app that uses local storage to store notes offline.

References

1. Cookie law: websites must seek consent from this weekend: http://www.bbc.com/news/technology-18194235 (retrieved 2012-05-28)
2. Last minute Cookie law change towards 'implied consent' will fail: http://www.thedrum.co.uk/.../last-minute-cookie-law-change-towards-implied-consent-will-fail-says-legal-firm (retrieved 2012-05-28)
3. EU Cookie Law eBook: http://silktide.com/templatefiles/EU%20Cookie%20Law%20eBook.pdf (retrieved 2012-05-28)
4. Guidance on the rules on use of cookies and similar technologies: http://www.ico.gov.uk/.../guidance_on_the_new_cookies_regulations.ashx, via Stack Overflow (retrieved 2012-05-28)
5. HTTP ETags: http://en.wikipedia.org/wiki/HTTP_ETag (retrieved 2012-05-28)