If you’ve visited a new website on your phone or computer over the past 18 months or so, you’ve probably seen it: a notification informing you that the page is using cookies to track you and asking you to agree to let it happen. The site invites you to read its “cookie policy,” and it may tell you the tracking is to “enhance” your experience — even though it feels like it’s doing the opposite.

Cookies are small files that websites send to your device that the sites then use to monitor you and remember certain information about you — like what’s in your shopping cart on an e-commerce site, or your login information. These pop-up cookie notices all over the internet are well-meaning and supposed to promote transparency about your online privacy.

But in the end, they’re not doing much: Most of us just tediously click “yes” and move on. If you reject the cookie tracking, sometimes, the website won’t work. But most of the time, you can just keep browsing. They’re not too different from the annoying pop-up ads we all ignore when we’re online.

These cookie disclosures are also a symptom of one of the internet’s ongoing and fundamental failings when it comes to online privacy and who can access and resell users’ data, and by extension, who can use it to track them across the internet and in real life.

The proliferation of such alerts was largely triggered by two different regulations in Europe: the General Data Protection Regulation (GDPR), a sweeping data privacy law enacted in the European Union in May 2018; and the ePrivacy Directive, which was first passed in 2002 and then updated in 2009. They, and the cookie alerts that resulted, have plenty of good intentions. But they’re ineffectual.

Why this, why now, briefly explained

To back up a little bit, cookies are pieces of information saved about you when you’re online, and they track you as you browse. So say you go to a weather website and put in your zip code to look up what’s happening in your area; the next time you visit the same site, it will remember your zip code because of cookies. There are first-party cookies that are placed by the site you visit, and then there are third-party cookies, such as those placed by advertisers to see what you’re interested in and in turn serve you ads — even when you leave the original site you visited. (This is how ads follow you around the internet.)

The rise of alerts about cookies is the result of a confluence of events, mainly out of the EU. But in the bigger picture, these alerts underscore an ongoing debate over digital privacy, including whether asking users to opt in or opt out of data collection is better, and the question of who should own data and be responsible for protecting it.

In May 2018, the GDPR went into effect in Europe — you probably remember your inbox being flooded with privacy policy emails around that time. The privacy law is designed to make sure users are aware of the data that companies collect about them, and to give them a chance to consent to sharing it. It requires companies to be transparent about what information they’re gathering and why. And individuals get the right to access all their personal data, control access and use of it, and even have it deleted.

After the GDPR went into effect, a lot of websites started adding cookie notifications. But GDPR actually only mentions cookies once. It says that to the extent that they are used to identify users, they qualify as personal data and are subject to the GDPR, which lets companies process data as long as they get consent or have what regulators deem a “legitimate interest.”

But it’s not just GDPR that governs cookies — it’s also the European ePrivacy Directive, which was last updated about a decade ago. The directive is sometimes known as the “cookie law” and lays out guidelines for tracking, confidentiality, and monitoring online. Currently, Europe is trying to enact the ePrivacy Regulation, which would supplant the directive and put in place across-the-board regulations for the EU instead of having them handled country by country. Right now, the GDPR and ePrivacy Directive share governance over cookie regulations. But whether the law passes or not, cookie alerts aren’t going away anytime soon.

Most companies are throwing cookie alerts at you because they figure it’s better to be safe than sorry

When the GDPR came into effect, companies all over the globe — not just in Europe — scrambled to comply and started to enact privacy changes for all of their users everywhere. That included the cookie pop-ups.

It’s certainly a good thing that tech companies and website owners are being more transparent with users about what they’re doing with their data and how they’re tracking them. And the GDPR and the heavy fines it threatens have caused some companies to clean up their practices around issues such as breach notifications. 

But when it comes to cookies, these pop-up notifications aren’t doing much. The internet and its biggest websites are constructed in a way that gives these sites easy access to users’ data, and they can essentially do whatever they want with it.

And, frankly, we’re abetting this behavior. Most users just click or tap “okay” to clear the pop-up and get where they’re going. They rarely opt to learn more about what they’re agreeing to. Research shows that the vast majority of internet users don’t read terms of service or privacy policies — so they’re probably not reading cookie policies, either. They’re many pages long, and they’re not written in language that’s simple enough for the average person to understand.

There’s not even a consensus on whether or not cookie alerts are compliant with European law. In May, the Dutch data protection agency said these disclosures do not actually comply with GDPR because they’re basically a price of entry to a website.

Are there better solutions? Maybe, but no one can agree on what they are.

On the one hand, users should know what they’re getting into and what companies are tracking about them when they go to a website. On the other hand, asking them to check a box when they have very little idea what they’re agreeing to — and not giving them any other viable options — doesn’t seem to be an ideal solution. It worsens the user experience without doing anything very productive in return. This, again, reflects a more fundamental shortcoming when it comes to privacy and data collection on the internet.

Beyond what’s happening in Europe, there is also an online privacy movement in the US and some potential legislation that could someday change the way data collection works online, including when it comes to cookies. 

But, for now, we’re stuck with these cookie pop-ups that make online browsing more difficult without accomplishing much else. Could we click through to see what’s being tracked about us? Sure. And might some websites still work if we say no to the cookies? Perhaps. But most of us are just going to keep saying yes.

Thanks to Vox