Almost every major website you visit today pops up a banner to warn you that it uses “cookies.” This is not legally required in the U.S. or in most places, and where it is, the vast majority of sites do not comply with legal requirements. From a policy perspective: cookie pops are just dumb – (virtually) no one reads them. There are vastly better ways to deal with the issue they present – legally and from a site usability perspective.
First, no current U.S. law requires cookie pop-ups. Some sites that are available in the European Union are required to post cookie pop ups – sites that use so called “tracking cookies.” I discuss below a recent EU case that makes this issue even worse than one would have originally thought.
Second, an anecdotal review of websites shows the vast, vast majority of them – all of them in my experience that are “U.S.” sites – utterly fail to comply with the so called EU “cookie law.” Why? Because they store the cookie before consent (which is not permitted under the cookie law) and they simply state, “This site uses cookies” and present an “OK” button (and/or an X to close the pop up) with a link to the privacy policy. See for example www.abajournal.com which, as of the date of this post, simply provides an OK button – no option to do anything like reject or manage the cookies, and a link to the privacy policy. Just a useless and legally insufficient user interface distraction.
Finally, except in very, very limited cases, these cookie pops do not in any way increase user privacy protection. Why? If a site does comply with the notice and consent requirements, it is not legally required to provide the service if a user declines tracking cookies. The site can simply not provide functionality. So in many cases, its not really a choice – the choice is either not to use the site, or consent to tracking. This is made worse because many governments and third parties use these sites for information dissemination. A truly privacy focused law would at least require that the site function if a person elected no tracking.
The whole cookie problem was started by our friends in Europe when they promulgated the ePrivacy Directive 2002/58/EC. However, no U.S. company really started focusing on compliance with the “cookie issue” presented in the ePrivacy Directive until the General Data Protection Regulation (GDPR) of the European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 came into effect. The GDPR applies in Europe, not the US, however so many U.S. companies either do business in, or ostensibly could be regulated by, EU members – so they attempt to comply with both U.S.and EU law.
Many “cookies” – the ones necessary to actually operate a website, are “exempt” and need not be identified nor are they subject to consent. However, sites that use tracking cookies and other tracking technology – even anonymized data – are required under EU law to obtain prior consent before even storing the cookie or other technology that allows such tracking.
In my opinion, this system has been an utter failure in policy and actual impact. It has not stopped companies from incessant user tracking. The companies that rely on user tracking have the power to force the choice of “allow tracking” or do not use the service. The privacy policies remain mostly unintelligible, or at the very least, its is all but impossible to tell what exact tracking a company does, primarily because they either disclose only the types of tracking, or disclose so excessively that the cookie disclosure is indecipherable.
But the EU is doubling down on the concept . . .
In a recent decision (File number: DOS-2019-0137) of the Dispute Chamber of the Data Protection Authority of Belgium issued 2/2/2022, that regulator held that the European arm of the Interactive Advertising Bureau (IAB)’s “pop up” framework used by most of its members – intentionally designed to comply with the GDPR, in fact did not. The decision is lengthy (my machine translated version into English is 139 pages long), and undoubtedly will be appealed. As an overview, IAB created a real time bidding system (RTB) – an automated system of bidding for advertising. This is their framework in the U.S. and many other countries, but in Europe, they created the “Transparency and Consent Framework” (TCF). At issue in this case was a subset of the TCF, which the Board described as follows: “Specifically for the TCF, there are also the companies that use so-called “Consent Management Platforms” (CMPs) to offer. Specifically, a CMP takes the form of a pop-up that appears on the first connection to a website appears to request permission from the internet user to collect cookies and other identification data” Para. 40 (Note, all English translations here are machine created by Google’s translation service). The original decision in Dutch is here (and I can post the English translated version if someone requests it): https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022.pdf.
The basic idea is that IAB manages a “consensu” cookie – that indicates if the web user has already consented (or rejected) cookies. So, a participating site would somehow take information from a user’s initial browser session, send it off to IAB, and IAB would send back a text string indicating if that user had already consented to accept cookies or not. If not, a “cookie pop up” would be presented to the user. The Board found that the IAB maintains a database of users and preferences, which can be used “in order to create an advertising profile of data subjects and to show them personalized advertising” Para. 50. It therefore concluded the IAB was a data controller (a point the IAB disputed). From this point forward the Board essentially found nearly every conceivable violation of the GDPR that could be found. Among them, that “IAB Europe [] failed to observe the principles of due regard for transparency and fairness with regard to data subjects” in part because some of the information that can be sucked up into the preference model includes “special categories of personal data … For example, participating organizations could become acquainted with the websites previously visited by a data subject, including the political opinions, religious or philosophical beliefs, sexual orientation, health data or also trade union memberships of the data subjects be inferred or disclosed.” Para 51. It also found the IAB’s privacy policy insufficient because among other reasons it was only available in English, and used unclear vague terms like “services” and “other means.” Para. 54. It also did not like that the terms “partners” and “third parties” were not explained sufficiently.
To me this is just evidence that no one really understands the law – or that the regulators think it says one thing and the industry thinks it says another. Not good either way. But after that decision, it seems like it would be all but impossible to have a centralized “cookie consent” service – or to comply, the service would be so intrusive as to make the web experience intolerable.
The solution? In my view, just stop with the cookie pop ups. They are stupid and ineffective. Enact a law that requires a service to respect the do not track signal from a browser (currently entirely voluntary), and not store any tracking cookies, clear gifs or other trackers – and require that a site not “discriminate” against users who elect no tracking – basically – provide all functions to users whether they consent or do not consent. I would also prevent any government organization to use a site that tracks users as a service for information dissemination.