Release the Cookie Monster?

on 5th May 2012

(Last updated 11th March 2016)

Release the Cookie Monster?

It’s unlikely you’ve been asked the above question before now or, at least, not on a regular basis.  Come May 2012 however, the EU Cookie Directive could make this or similar questions a regular staple to our everyday web browsing. 

The Directive in question is part of the Privacy and Electronic Communications 2003 (incorporated into UK regulations as part of the Data Protection Act 1998), enforceable from the end of May 2012. The Directive provides that EU Member States must ensure that the use of electronic communications networks used to store information in a visitor's browser is only allowed if the user is provided with “clear and comprehensive information… and has given his or her consent”. In essence, this would mean all users before arriving on a website homepage must give their consent to allow their information to be stored. This stored information refers in particular to the use of Internet cookies.

A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites often to allow a website to recognise a user’s device. The Information Commissioners Office (ICO) has provided some guidelines on the directive and draws our attention to the three main cookies in use today:

  • Session cookies that allow websites to link the actions of a user during a browser session.
    They may be used for a variety of purposes such as remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing Internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies.
  • Persistent cookies
    are stored on a user's device in between browser sessions, which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering user’s preferences and choices when using a site or to target advertising.
  • First and third party cookies.
    Whether a cookie is first or third party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

Of the types of cookies above, there are some that could potentially capture data that identifies an individual and it’s this ‘privacy intrusive’ information that the directive, along with data protection, is truly targeting. By requiring websites to gain consent from their users prior to arriving on the homepage, the process becomes an informed ‘opt-in’ system, placing the onus on the user to agree to share this information or not. Currently we use an ‘opt-out’ system where by default websites can use cookies to store information until you tell it otherwise (in your browser settings or links in websites privacy policies).

The importance of gaining informed consent before handing over personal information is obvious – but how to ensure the user is given “clear and comprehensive information” enough to understand what they are agreeing to? Therein lies the rub. 

The definition of an individual cookie type may even be lost to those of us in the trade; but most of us will know at least what a cookie is. This however, is not the case when it comes to the general public – and this is (along with data protection) underpins and motivates the legislation. 

Research commissioned by the UK’s Department for Culture, Media and Sport (link found that: 

  • 41% of those surveyed were unaware of any of the different types of cookies (first party, third party, Flash / Local Storage). Only 50% were aware of first party cookies.
  • Only 13% of respondents indicated that they fully understood how cookies work, 37% had heard of internet cookies but did not understand how they work and 2% of people had not heard of internet cookies before participating in the survey.
  • 37% said they did not know how to manage cookies on their computer.

Educating users should generally be a high priority for everyone. This doubly so in the realms of data protection where media hype often whips issues of privacy into an outpour of public fervour. Making users aware of what cookies are and what they do informs the user and removes potential trepidation. 

This is all admirable work, the directives ethical aims are clear – but the ICO guidelines on how to practically conform to the regulations are left purposefully and vaguely open. The ICO guidance gives little specific direction as to not stifle future technology – but at the very least points out the simplest options of gaining informed consent, a landing page or large box that explains to users what cookies are used on the site, also giving the opt-in or out options. 

It’s at this point that the tearful wails of usability experts and designers can be heard in the not so far distance. Many years of development, research, creativity and money have gone into making web browsing an intuitive, boundless experience. If you remove the moral motivation behind the directive, what we’re left with is a series of ‘mini barriers’ to entry on every website. Worse still, even when presented with clear ‘friendly’ information, some people remain less blasé than the rest of us when clicking ‘I agree’ online. To those people, the very mention of the word ‘privacy’ may send our potential customer running, possibly even driving them into the arms of a non-EU cookie regulated competitor.  

Organisations like the Digital Advertising Alliance (DAA) are already working to promote cookie/web knowledge - you may have already seen some Google banner advertisements have a “why this ad?” link that explains why that ad is showing specific to you. This will increase knowledge but will take time to raise public awareness to ‘useful’ levels. 

Until common knowledge catches up with technology – this is how the EU has decided to proceed. We’ve been left with a completed puzzle and a new piece that has to somehow fit in, the implementation of which, squarely dumped on the web design agencies lap.  Conceptually the directive is sound but the lack of practical solution combined with the ambiguity surrounding specific topics leaves much uncertainty - a good example of which is Google Analytics (GA). Until recently, if you read the law verbatim, you could interpret GA as a cookie type that would require gaining explicit consent. However the ICO guidelines implies that while this is true, its unlikely that action would be taken against a website using GA – directing us again to the level of intrusive information collected as the key indicator as to whether explicit consent is required.    

The one certainty to come out of the ICO guidance is that if you’re an organisation whose departments heavily rely on capturing potentially intrusive information for marketing, sales, analytics and CRM purposes, you must gain informed explicit consent in some form from all website visitors and have that solution in place for May 2012. 

True solutions to this issue have been made mention of in the guidance, such as but being able to set your web browser for all your privacy settings, no matter the website you visit. But this requires collaboration with the likes of the EU and Google, who in the past haven’t exactly seen eye-to-search engine. 

Until then, all sites as a matter of good house keeping (even if not for the directive) should audit the cookies used on their sites – based on the level of intrusive information act accordingly – update privacy polices to reflect cookies used on site, raise the profile of this information on your homepage and if required, implement consent ‘checking’ solutions. 

Will the ‘cookie monster’ crumble under the strain of industry negativity and fail? No, it won’t. Its not going to go away so website owners and designers will have to take precautions and implement changes where they can. As to what will constitute breaches in specific circumstances, only time and precedent will tell. The key is to be seen as being proactive.

Here are some good examples of implementation from around the web.