The EU cookie directive — unnecessary and futile, but it’s the law


On the 26th May, Arti­cle 5(3) of the Direc­tive 2002/58/EC of the Euro­pean Par­lia­ment and of the Coun­cil of 12 July 2002 con­cern­ing the pro­cess­ing of per­sonal data and the pro­tec­tion of pri­vacy in the elec­tronic com­mu­ni­ca­tions sec­tor (amended Decem­ber 25th 2009) — more commonly known as the EU cookie directive — will come into force in the UK. This seemingly innocent bit of EU legislation purports to be for the benefit of all web users in the European Economic Area, however I believe all it has done is give government departments yet another piece of pointless legislation to monitor and add an unnecessary burden on website owners.

I don’t disagree with the principle that lies behind the directive — I’m sure the politicians and civil servants behind the legislation were well-meaning — but I (along with many others) don’t believe that it will have the slightest impact on the problem it aims to solve. The EU conducted some research that showed that a large number of web users were unaware of what cookies were, or what they were used for. The solution, as far as the EU was concerned, was to compel website owners to ask for explicit permission before downloading cookies to a user’s browser.

In the UK the directive was introduced as a change to Regulation 6 of the Privacy and Electronic Communication Regulations 2003, and became law last May, but ensuring compliance was deferred for a year to allow businesses to prepare. The Department of Culture, Media and Sport (DCMS) was charged with handling the introduction of the legislation and the Information Commissioner’s Office was given the task of ensuring compliance. Guidance from the ICO about what would constitute compliance was slow in coming — the first compliance information didn’t appear until sixteen days before the directive was due to become law. In addition, the initial guidance was vague and gave website owners little by way of actionable steps.

Since last May the guidance has become somewhat clearer, but still offers few hard and fast rules to follow. What is clear, however, is that a Privacy Policy link or message on the landing page stating that a site uses cookies, and by accessing the site a users agrees to accept them, will not fulfil the requirements of the new law. To comply with the law, no cookie can be downloaded to the user’s computer before they have given their explicit permission — if, upon landing on a webpage, a cookie is automatically downloaded before the user has accepted it, that site will contravene the law. The only exception is if the cookie(s) are deemed essential to the functionality of the site. Therefore, web developers will have to implement solutions that prevent the download of cookies until after the user has indicated their acceptance of them.

On the surface this may not seem like a bad idea, but it doesn’t get to the root of the problem — web users lack of understanding about cookies. Last week, eDigitalResearch in association with IMRG, published a report that showed that 8% of users (from a sample of 2,000) had not heard of cookies before, 9% did not know they could disable cookies in their browser settings, and 33% of respondents believed that cookies could be used for transmitting viruses and trojans. Clearly, with such high levels of consumer ignorance about cookies, web users need to be be better educated about the technologies and services they use everyday.

A telling figure from the eDigitalResearch report is that 75% of users have not heard of the cookie directive, which would suggest that, if one of the purposes of the legislation is to raise awareness of cookies amongst users, it’s failing miserably in that task. Admittedly, the law hasn’t yet come into force, but with only a few weeks to go before it does, there seem to be only a small percentage of websites that currently comply, and I have heard from friends and family who have encountered various compliance solutions, that those solutions only serve to annoy users rather than educate them. Most people loathe pop-ups or banners appearing on top of web pages, and when unexpectedly presented with a box or window that requests the user accept or decline something, the default response appears to be to decline — usually with only the most cursory inspection. If the majority of users decline a request without going through to read more about how a site uses its cookies, how are users going to become better educated about the issue?

More worrying for website owners is the likely impact on web revenues. QuBit Digital conducted some research recently that suggested that poor implementation of the directive could have a potential cost to the UK economy of more than £10 billion. The report’s authors estimated that repeated requests for cookie acceptance could discourage new visitors and result in a loss of custom to the tune of £2.6 billion. They also identified a potential hit to the marketing and advertising industrires of well over £2 billion. When one considers that the Internet is predicted to generate around 20% of the UK’s GDP by 2016, the potential for this law to negatively hit Britain’s bottom line is significant.

Another concern for both website owners and those of us in the design and development community (a not insignificant sector of the nation’s economy) is the impact it will have on gathering site metrics. One of the most widely used website analytics packages is Google Analytics (estimated to run on 90% of websites). Google Analytics depends on cookies for its functionality, but under the terms of the UK regulation, analytics cookies are (according to the ICO) deemed non-essential. If analytics cookies cannot be downloaded to a users machine until they have given their explicit permission, and large numbers of users refuse to accept cookies, there is a good chance that data gathered by Google Analytics and similar products will be highly inaccurate. When the ICO tested a solution provided by CIVIC, only 10% of users opted in to the service. Metrics that account for only 10% of a site’s visitors are not going to prove very effective — and for sites with low traffic levels, will be next to useless.

The problem is that comprehensive site analytics provide website owners with the information they need to evolve and improve their sites to better serve the needs of their users. At Tribus we use Google Analytics to help us make decisions for almost every aspect of a website’s design — navigation structure, calls-to-action, layout, functionality, browser optimisation, device optimisation, audience demographics etc. If website owners are denied this information, ultimately their sites will serve their visitors less well. This fact has been noted by the Government’s own digital service in its Cookies Implementers Guide in which it states:

The use of metrics are integral are to departments’ being able to provide the best possible user experience in order to encourage citizens to use more cost-effective channels for accessing government services… Consequently, collecting these metrics are essential to the effective operation of government websites, at present the setting of cookies is the most effective way of doing this.

It seems to me that this directive is yet another example of bureaucrats and politicians devising laws from a position of ignorance without fully understanding the consequence of the legislation. Just as the SOPA and PIPA bills came out of the US Congress as a result of knee-jerk responses to one-sided and superficial research, the cookie directive is a sledgehammer approach to the nut. Had more in-depth consultation taken place with people who actually know something about the way the internet works, and work in those trenches everyday, a more balanced, workable and successful solution would have emerged. I believe the end result of this poorly considered legislation will be fewer websites that actually deliver what users want, poorer web user experiences, and web users’ collective knowledge about cookies increasing not one iota. But hey, it’s the law and, until a better solution comes along, we have to deal with it. But it doesn’t mean we have to like it.

For a comprehensive guide to the cookie directive, visit this link. And if you’re a website owner, and haven’t yet addressed the issue, get in touch with my agency — we’ll be happy to help.

Photo by: Derek Gavey (Flickr)

About the Author

Nick Irons

Twitter Google+

Nick Irons is Co-founder and Creative Director of Tribus Creative Ltd., a brand communications company for small businesses. He spent almost fifteen years in the entertainment industry as a writer, producer, and performer, before moving into branding and design consultancy. He is a fervent believer in the power of storytelling to unlock the value in brands both big and small.

Leave a Reply

Your email address will not be published. Required fields are marked *