Cookies are small files that websites send to your device that the sites then use to monitor you and remember certain information about you — like what’s in your shopping cart on an e-commerce site, or your login information. These pop-up cookie notices all over the internet are well-meaning and supposed to promote transparency about your online privacy.
But in the end, they’re not doing much: Most of us just tediously click “yes” and move on. If you reject the cookie tracking, sometimes, the website won’t work. But most of the time, you can just keep browsing. They’re not too different from the annoying pop-up ads we all ignore when we’re online.
These cookie disclosures are also a symptom of one of the internet’s ongoing and fundamental failings when it comes to online privacy and who can access and resell users’ data, and by extension, who can use it to track them across the internet and in real life.
The proliferation of such alerts was largely triggered by two different regulations in Europe: the General Data Protection Regulation (GDPR), a sweeping data privacy law enacted in the European Union in May 2018; and the ePrivacy Directive, which was first passed in 2002 and then updated in 2009. They, and the cookie alerts that resulted, have plenty of good intentions. But they’re ineffectual.
“I would say they’re generally pretty useless so far,” Shane Green, CEO of private data sharing platform digi.me, told Recode. “We’re back to 1999 all over again with pop-ups everywhere, and it’s beyond annoying.”
Why this, why now, briefly explained
The rise of alerts about cookies is the result of a confluence of events, mainly out of the EU. But in the bigger picture, these alerts underscore an ongoing debate over digital privacy, including whether asking users to opt in or opt out of data collection is better, and the question of who should own data and be responsible for protecting it.
After the GDPR went into effect, a lot of websites started adding cookie notifications. But GDPR actually only mentions cookies once. It says that to the extent that they are used to identify users, they qualify as personal data and are subject to the GDPR, which lets companies process data as long as they get consent or have what regulators deem a “legitimate interest.”
But it’s not just GDPR that governs cookies — it’s also the European ePrivacy Directive, which was last updated about a decade ago. The directive is sometimes known as the “cookie law” and lays out guidelines for tracking, confidentiality, and monitoring online. Currently, Europe is trying to enact the ePrivacy Regulation, which would supplant the directive and put in place across-the-board regulations for the EU instead of having them handled country by country. Right now, the GDPR and ePrivacy Directive share governance over cookie regulations. But whether the law passes or not, cookie alerts aren’t going away anytime soon.
“The GDPR is one shoe, and the other shoe is this ePrivacy Regulation, which is on the way,” said Amy Brouillette, research director of New America’s Ranking Digital Rights project, which promotes free expression and privacy online.
Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry
When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups.
“Everybody just decided to be better safe than sorry and throw up a banner — with everybody acknowledging it doesn’t accomplish a whole lot,” said Joseph Jerome, former policy counsel for the Privacy & Data Project at the Center for Democracy & Technology, a privacy-focused nonprofit.
It’s certainly a good thing that tech companies and website owners are being more transparent with users about what they’re doing with their data and how they’re tracking them. And the GDPR and the heavy fines it threatens have caused some companies to clean up their practices around issues such as breach notifications. After GDPR, there has been “less egregious sharing and abusing of data across the board and in Europe,” Green said.
But when it comes to cookies, these pop-up notifications aren’t doing much. The internet and its biggest websites are constructed in a way that gives these sites easy access to users’ data, and they can essentially do whatever they want with it.
And, frankly, we’re abetting this behavior. Most users just click or tap “okay” to clear the pop-up and get where they’re going. They rarely opt to learn more about what they’re agreeing to. Research shows that the vast majority of internet users don’t read terms of service or privacy policies — so they’re probably not reading cookie policies, either. They’re many pages long, and they’re not written in language that’s simple enough for the average person to understand.
There’s not even a consensus on whether or not cookie alerts are compliant with European law. In May, the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website.
“Until there’s an enforcement action or a regulator puts out an actual guidance document and says, ‘Here’s what we want and what we think people will read,’ you’ll have this gross user experience,” Brouillette told Recode.
Are there better solutions? Maybe, but no one can agree on what they are.
On the one hand, users should know what they’re getting into and what companies are tracking about them when they go to a website. On the other hand, asking them to check a box when they have very little idea what they’re agreeing to — and not giving them any other viable options — doesn’t seem to be an ideal solution. It worsens the user experience without doing anything very productive in return. This, again, reflects a more fundamental shortcoming when it comes to privacy and data collection on the internet.
So what would be a better answer? Green suggested perhaps some seal of approval or ratings system that would signal to users that a website follows good privacy practices. Of course, we would have to decide who sets those standards — the public sector, the private sector, or some combination — and what the standards should be. And it’s going to be tough to find a consensus.
Jerome pointed to the transparency and consent framework put forth by the Interactive Advertising Bureau, or IAB, an industry trade group that researches interactive advertising and develops standards and best practices for complying with EU rules. “That’s not necessarily the solution … but we do need some sort of standardization here,” he said.
Johnny Ryan, chief policy and industry relations officer at Brave, a privacy-oriented web browser, said he thinks the IAB’s framework is actually harmful. “You’re essentially cutting corners on what they show you when they ask for your okay, and in many cases, on top of that, they’re not letting you say no,” he said.
Ryan said he believes the GDPR has resulted in a “game of chicken” between the tech industry and regulators, where companies are trying to see what they can get away with and doing the bare minimum — without taking meaningful action or, often, actually complying with the law. “The GDPR is very good as a piece of paper; it’s almost perfect. But it hasn’t been enforced,” he said.
Beyond what’s happening in Europe, there is also an online privacy movement in the US and some potential legislation that could someday change the way data collection works online, including when it comes to cookies. For example, Rep. Ro Khanna (D-CA) has proposed an Internet Bill of Rights, a list of user protections in the digital age, and Senate Democrats have introduced the Consumer Online Privacy Rights Act (COPRA), which seeks to expand digital privacy rights and protections in a way that is similar to GDPR.
With Republicans in control of the Senate and few things moving through Congress, it’s not clear when or if either of these ideas would become law. But at the state level, the California Consumer Privacy Act (CCPA), a law meant to protect privacy rights and improve consumer data protection, will go into effect on January 1 in the state.
But, for now, we’re stuck with these cookie pop-ups that make online browsing more difficult without accomplishing much else. Could we click through to see what’s being tracked about us? Sure. And might some websites still work if we say no to the cookies? Perhaps. But most of us are just going to keep saying yes.
“We’re going to be bedeviled by banners for a long time,” Jerome said.
Open Sourced is made possible by the Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.