Cake or Death?

A month since the EU cookie rules came into force, Milena Popova looks at the good, the bad and the complete misses in ‘consent’ implementation, and some helpful tips on managing your cookies.

Image: CC-BY-ND 2.0 Flickr: Kari C

At the end of May this year, new EU rules on cookies came into force. We are not talking the chocolate chip variety here, but the small chunks of seemingly-random text which websites save on your computer as you browse the web. These little files enable basic functionalities like online shopping or setting your language preferences, but they can also be used to identify you and track your browsing across multiple sites. This allows, for instance, advertisers to build up detailed profiles of your interests and behaviour to better target their ads. Most internet users are only vaguely aware of cookies, what they do or how they work.

The new rules are part of the EU e-Privacy directive, which members states needed to implement into national law by May 2011. Most member states failed to meet the deadline and are still lagging behind. The UK implemented the Directive in time but then gave website owners a year to ensure compliance with the new regulations. Since May 26th this year, however, UK websites have to obtain their users’ consent before they set cookies on their devices. The original guidance was that consent had to be actively given (e.g. by ticking a box), which led to some very frantic action and widespread predictions of a cookiepocalypse in the tech industry in the weeks leading up to the implementation deadline. Then, at the last minute, the Information Commissioner’s Office updated its guidance to state that “implied consent” was an acceptable option in some, if not most, cases.

So a month into the cookiepocalypse, what’s the state of play? Certainly for the first couple of weeks I found it quite easy to keep a mental tally of how many websites were even attempting to comply with the new legislation. The first site I spotted doing to was Yes Scotland, the campaign for a yes vote in the upcoming Scottish independence referendum. There is a warning triangle in the bottom right-hand corner of the screen which takes you to their privacy policy. That then explains what cookies are and how to turn them off in your browser settings if you want to. The implementation is ugly, but you’ve got to give them credit for trying.

Over the last week or so I’ve seen more and more sites trying to comply, to the point where I have now stopped counting. This is a good thing, though how these sites have chosen to implement cookie compliance is less good. Most seem to be going for the “implied consent” - or what I call a “cake or death” approach. Here’s an example from the Guardian:

 

 

The “Find out more” link does take you to a more detailed explanation and, again, instructions on how to turn cookies off in your browser, but at first glance this is very much an “if you don’t like it you don’t have to read our site” situation.

The Information Commissioner’s Office website is slightly better in this regard, in that it asks you to actively tick a box accepting cookies before it will set any on your device:


The downside of course is that if you don’t consent to their cookies, the box stays at the top of the page forever - not a huge issue on a decent-sized screen but on a netbook, tablet or mobile this is annoying.

A couple of implementations I’ve seen have bordered on the farcical, including the “If you don’t accept cookies, please let us set a cookie to say so” approach (which does avoid the persistent box at the top of the screen problem) and the Information Commissioner’s very own cookie guidance video which comes with the warning that “playing YouTube videos sets a cookie”. Informed consent this is not.

My favourite approach so far comes from Toyota UK. They split cookies into three different categories (vaguely corresponding to the four categories used by the EU), provide clear explanations of what they are used for, and allow you to individually turn each category on or off. Have a cookie, Toyota:

If at this point it’s all becoming a bit much and you just want to go and consume some baked goods, here are just a couple of final thoughts and tips. I do think that the new cookie rules are raising awareness of the issue among the general public. Even if a lot of people aren’t bothering to click the “find out more” links, some are, and explanations are now written in much more understandable language. Where explicit consent is required (e.g. the ICO’s website), early evidence suggests that most people prefer to opt out of cookies. These are very positive developments for individuals’ privacy, although of course we could always do better.

If you are concerned about cookies and trackers, there are a few things you can do. Learn to control the cookie settings on your browser - the Guardian’s website has links to instructions for most common browsers. You can also find out who’s is tracking your browsing and how. If you’re using Firefox, the Collusion add-on will help you track the trackers and build up a picture of who knows what about you. Additionally, Ghostery can help you block cookies and trackers you don’t want. So even if most websites are behind on complying with the law, there are plenty of easy-to-use tools at your disposal to regain control of your privacy.

 

 Milena is an economics & politics graduate, an IT manager, and a campaigner for digital rights, electoral reform and women's rights. She is also a member of ORG's board and continues to write for the ORGzine in a personal capacity. She tweets as @elmyra