Nobody Likes Cookie Pop-Ups: Browser-Based Consent and the ePrivacy Regulation

The ePrivacy Regulation proposals have been made public for a few weeks now, and there appear to be some far-reaching changes ahead if it’s adopted as is with minimal changes.

The one provision that seems to be attracting the most attention right now is Article 10 and the role that browsers might play in obtaining consent for cookies and other types of online tracking.

Essentially, Article 10 says that consent, or the lack thereof, can be given through the settings of a browser. For this to work, browsers must provide adequate settings and controls for users to make genuine privacy choices. They will also be required to make sure that users not only engage with these controls when they first set up their browser, but also be reminded of their ability to change settings, in unbiased language, no less than every six months.

The motivations for this can be neatly summarized as “Nobody likes cookie pop-ups” – not users, site owners, and now, regulators. When the draft was first published, there was widespread celebration of the impending death of the cookie banner that the EU has dealt with for the last 5+ years.

Besides the issue of why people don’t like cookie pop-ups (which would necessitate an entire article by itself), it seems important to ask two key questions:

  1. Does this law change mean the end of the cookie banner?
  2. If so, will that be a good thing for site owners?

The short answer to the first question is: “Maybe, but probably not in the short term,” and here are several reasons why:

First, current browser controls over cookies are blunt instruments, and not aligned to the wording of the Regulation.

The requirements for consent, and its exemptions, are largely defined by the purpose of the cookie. Purpose is something that is in no way encoded in cookies, and is therefore not something directly understood by the browser. Browser controls are based on the technical attributes of a cookie, namely whether it’s first or third party, and whilst privacy concerns are broadly aligned to this distinction, this is not always the case.

For example, a third-party cookie may be used in security and fraud detection services, which might be vital to the safe operation of a site, such as in e-commerce transaction processes. Generally blocking third-party cookies will potentially make a service less safe in that instance. Similarly, on-site profiling in large web properties can be done with first-party cookies in a way that people might object to, but if they simply blocked first-party cookies, this tends to make a lot of sites unusable. For example, you cannot log in to a site if first-party cookies are blocked.

Purely relying on browser controls as they are currently configured is neither fully effective in delivering privacy to those who want it, nor does it accurately reflect consent or withdrawal of it by a user for the different types of processing that are technically similar, but which functionally distinct cookies might enable.

Secondly, browser controls are mostly limited to cookies and other similar forms of local data storage and retrieval. Therefore, they are ineffective if a user wishes to prevent certain activities, like profiling, which can be done via non-standard, non-cookie based methods.

A good example of this is web-pixels or web-beacons, which are just third-party images that are encoded in such a way as to allow tracking. A browser cannot easily distinguish between an image that is beneficial to the user, and one that is a privacy risk in this context. Various fingerprinting methods of tracking similarly would be undetectable by the browser, and would be unable to reliably act on behalf of the user who would choose to prevent such tracking if they could.

It’s important to note that current ineffectiveness of browsers is not the fault of browser makers. They work to agreed standards, which are enabled through multi-stakeholder consensus, and regularly take years to be agreed upon and implemented. When dealing with deeply technical issues, this is standard procedure, but the problem is that privacy issues usually move at a much faster pace than standards (or the law) can.

Interestingly (at least from a cookie geek’s point of view), as early as 1997 there was a draft standard that, for privacy reasons, called for the purposes of cookies to be encoded directly into them. This would have enabled browsers to truly achieve what EU regulators are now asking from them in a robust way, but for many reasons, this requirement never saw the light of day.

Let’s say that these technical issues can be magically resolved by May 2018, and the browser becomes the prime interface for users to control their online privacy in an effective way without invading the user experience the way cookie pop-ups inevitably do. Would that be a good thing for website owners?

It stands to reason that it would not, simply because it reduces the ability of the website to either influence the user to adjust their settings in the site owners’ favor, or to create a competitive advantage by having a stronger relationship of trust based on a more privacy-centric approach.

In the last few years, privacy concerns have become headline news like never before. More and more web users are seeking out privacy solutions in one form or another. If browser controls make strong privacy tactics an essentially invisible feature in everyday use, but are still reminding people to activate them, it stands to reason that even larger numbers of website visitors are going to trade up to the strongest settings available.

Ultimately, if a browser blocks tracking activity – which is beneficial to the site owner’s business – the site owner may never know, which means that their business will suffer, users will assume that that the site owner is trying to track them for unknown reasons, and the site owner won’t have the opportunity to persuade them of their trustworthiness.

If, on the other hand, the privacy controls are on my site, a site owner can make a case to change minds while being respectful of the choices their visitors make. It presents a great opportunity to engage directly on the issue of trust, which any marketer knows is both difficult to win, and valuable to maintain.

The celebrations of many who are looking forward to the demise of the cookie pop-up will prove over the coming months to be not only premature, but also potentially problematic, as they are missing the bigger picture on the value of privacy as a tool of trust and competitive differentiation.