The EU's cookie monster

This May marked the end of an amnesty by the Information Commission Office (ICO) on enforcement of the EU Cookie Directive. It requires all website owners to update their content to request the viewer’s permission to use cookies. While ‘essential’ cookies are exempt, this doesn’t include cookies that track usage or allow targeted advertising, which are critical to improving the user’s experience (through methods such as A/B Testing). This compromises the ability of firms to provide services that people want, and to do so free of charge.

What this law won’t catch is those who actually mean to do harm. The online community already counters those who would genuinely seek to misuse cookies more quickly than a government agency could shut down a server. The usefulness of cookies to do harm is also limited, and by telling people it is cookies they should be concerned about shifts very real concerns about using the internet safely away from genuine threats.

Meanwhile well-meaning service providers break the law without even realising it. The ICO’s own video to publicise the change has less than 10,000 views, while over 175,000 new .uk sites were registered in May alone. Providers simply aren’t aware that the technology they put in place to improve their products is making them criminals.

In practice, the law means only that users will be faced with constant interruption. Once the user has been asked for permission for a specific cookie for a specific site a hundred times, it seems unlikely that they would continue to read about what each cookie does. Eventually only the illusion of security is provided, breeding complacency.

Cookies have been around almost as long as the internet has been commercially available, and for those that are concerned about them, there are already a plethora of techniques to avoid them such as browsers and scripts. These are one-button fixes as opposed to a heavy-handed law, which requires updates on upwards of half a billion web pages.

While this will have little impact on large businesses, which can move their servers out of the EU and avoid the process entirely, this will be a blight on smaller providers of web content.  It is these small providers that have made the internet so interesting. Traditional publishing has long been dominated by a much smaller group of voices, and the internet has gone a long way to increasing pluralism. The EU Cookie Directive puts that at risk, while only providing a façade of security.