Thomas Steinacher

Why the cookie law is a bad idea

On May 26th, a new cookie law was introduced in the UK [1], which renders most UK websites illegal and might ultimately transform into an EU law. In short, the new law only allows websites to set cookies on a user's computer when the user explicitly consents. It was changed last minute to allow "implied consent" [2]. I am briefly going into some aspects of the cookie law and explain why it is a bad idea and does a bad job at protecting user's privacy. Many more reasons against the law can be found in a resource such as the "EU Cookie Law eBook" [3], which outlines problems with the cookie law.

How it looks like in practice

Notice the bar on top which "informs" the user about cookies and allows them to "continue":

It confuses internet users

The average internet user doesn't know about cookies and will be confused by the pop up. Let's see how the guidance [4] suggests to inform users about cookies:

In "Providing information about cookies", it says: "Long tables or detailed lists of all the cookies [...] may be the type of information that some users will want to consider." And "For most users it may be helpful to provide a broader explanation of the way cookies operate [...] on your website."

As a user of the site, why should I care about what cookies are technically required? Even if I understand the consequences of cookies, I am not going to read your cookie policy and I'm not interested in it. I don't have time to read about cookies on every single website.

Their sample warning dialog ("Website with header bar") reads as follows: "We use cookies to make your experience of our website better. To comply with the new e-Privacy Directive, we need to ask for your consent to set these cookies. [ I agree ] [ No thanks ] Find out more."

Not only is this pop up or status bar annoying, it also doesn't make any sense. For internet users, the text translates into: "Would you like a better experience of the website?" Yes, of course I want a better experience – why are you asking me this? There is no mention of the "downsides" of cookies.

The law is not effective

If the goal of this law is to protect the user's privacy or inform the user about cookies, then this law completely missed the mark.

The actual concerns

I want to have control over cookie settings in my browser. Instead of a bar popping up every time I visit a website, I want to set my preference once. In my opinion there are two major concerns with cookies:

Finding for a solution: A look at Chrome and Safari.

There needs to be an easy way to change cookie preferences in the browser (and other data that's stored on the visitors computer), and a sensible default choice.

Let's look at Chrome – one of the most popular browsers. Where are the cookie preferences?

Chrome → Preferences → scroll all the way down → "Show advanced settings..." → Privacy → "Content settings..." → Cookies

Easy enough? No one is going to look at these preferences.

Cookie preferences should be easy to manage. There should be a detailed explanation about cookies and a few easy choices that the user can select.

This is how the Chrome cookie dialog looks like:

Here's Safari's:

None of these dialogs explains what cookies are.

Chrome's dialog provides too many options for the average user and is confusing. For instance, when I allow data to be set for the current session, why is there a need for another option that clears cookies when I quit my browser? Safari's dialog doesn't give me control about limiting the expiration of persistent cookies.

How it actually should look like

The by default available choices should be as simple as:

Everything else belongs to advanced settings. I don't see much point in explicitly limiting session cookies or third party cookies. The settings should apply to all types of data that are stored on the visitor's computer, including Flash cookies or local storage.

On top of that, how about a nice JavaScript API that allows websites to easily query the visitor's cookie setting, and display a standardized browser bar to permanently whitelist the site (similar to location services)? The use case for this would hopefully just be websites that actually require persistent data storage, such as a note-taking app that uses local storage to store notes offline.


  1. Cookie law: websites must seek consent from this weekend: (retrieved 2012-05-28)
  2. Last minute Cookie law change towards 'implied consent' will fail: (retrieved 2012-05-28)
  3. EU Cookie Law eBook: (retrieved 2012-05-28)
  4. Guidance on the rules on use of cookies and similar technologies:, via Stack Overflow (retrieved 2012-05-28)
  5. HTTP ETags: (retrieved 2012-05-28)

Comments? Email me at .

↩ Back to homepage