Why every website wants you to accept its cookies
Cookies alerts are supposed to improve our privacy online. But are they?
Cookies are small files that websites send to your device that the sites then use to monitor you and remember certain information about you — like what’s in your shopping cart on an e-commerce site, or your login information. These pop-up cookie notices all over the internet are well-meaning and supposed to promote transparency about your online privacy.
But in the end, they’re not doing much: Most of us just tediously click “yes” and move on. If you reject the cookie tracking, sometimes, the website won’t work. But most of the time, you can just keep browsing. They’re not too different from the annoying pop-up ads we all ignore when we’re online.
These cookie disclosures are also a symptom of one of the internet’s ongoing and fundamental failings when it comes to online privacy and who can access and resell users’ data, and by extension, who can use it to track them across the internet and in real life.
The proliferation of such alerts was largely triggered by two different regulations in Europe: the General Data Protection Regulation (GDPR), a sweeping data privacy law enacted in the European Union in May 2018; and the ePrivacy Directive, which was first passed in 2002 and then updated in 2009. They, and the cookie alerts that resulted, have plenty of good intentions. But they’re ineffectual.
Why this, why now, briefly explained
The rise of alerts about cookies is the result of a confluence of events, mainly out of the EU. But in the bigger picture, these alerts underscore an ongoing debate over digital privacy, including whether asking users to opt in or opt out of data collection is better, and the question of who should own data and be responsible for protecting it.
After the GDPR went into effect, a lot of websites started adding cookie notifications. But GDPR actually only mentions cookies once. It says that to the extent that they are used to identify users, they qualify as personal data and are subject to the GDPR, which lets companies process data as long as they get consent or have what regulators deem a “legitimate interest.”
But it’s not just GDPR that governs cookies — it’s also the European ePrivacy Directive, which was last updated about a decade ago. The directive is sometimes known as the “cookie law” and lays out guidelines for tracking, confidentiality, and monitoring online. Currently, Europe is trying to enact the ePrivacy Regulation, which would supplant the directive and put in place across-the-board regulations for the EU instead of having them handled country by country. Right now, the GDPR and ePrivacy Directive share governance over cookie regulations. But whether the law passes or not, cookie alerts aren’t going away anytime soon.
Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry
When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups.
It’s certainly a good thing that tech companies and website owners are being more transparent with users about what they’re doing with their data and how they’re tracking them. And the GDPR and the heavy fines it threatens have caused some companies to clean up their practices around issues such as breach notifications.
But when it comes to cookies, these pop-up notifications aren’t doing much. The internet and its biggest websites are constructed in a way that gives these sites easy access to users’ data, and they can essentially do whatever they want with it.
And, frankly, we’re abetting this behavior. Most users just click or tap “okay” to clear the pop-up and get where they’re going. They rarely opt to learn more about what they’re agreeing to. Research shows that the vast majority of internet users don’t read terms of service or privacy policies — so they’re probably not reading cookie policies, either. They’re many pages long, and they’re not written in language that’s simple enough for the average person to understand.
There’s not even a consensus on whether or not cookie alerts are compliant with European law. In May, the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website.
Are there better solutions? Maybe, but no one can agree on what they are.
On the one hand, users should know what they’re getting into and what companies are tracking about them when they go to a website. On the other hand, asking them to check a box when they have very little idea what they’re agreeing to — and not giving them any other viable options — doesn’t seem to be an ideal solution. It worsens the user experience without doing anything very productive in return. This, again, reflects a more fundamental shortcoming when it comes to privacy and data collection on the internet.
Beyond what’s happening in Europe, there is also an online privacy movement in the US and some potential legislation that could someday change the way data collection works online, including when it comes to cookies.
But, for now, we’re stuck with these cookie pop-ups that make online browsing more difficult without accomplishing much else. Could we click through to see what’s being tracked about us? Sure. And might some websites still work if we say no to the cookies? Perhaps. But most of us are just going to keep saying yes.
Thanks to Vox