What’s next for cookie regulation

Ahead of Facebook's Design Jam on cookie regulation, I spent some time looking into how cookies are regulated now in the European Union and what's coming next.

Cookie Collage
Websites from the EU must ask people to opt into using cookies. Cookies help websites remember things between pages, but can also be used to track people across websites. (Photo: Screenshot/BBC, The Guardian, Spotify).

Where we are now

People often talk about the “cookie law”, but the regulation of cookies is part of wider legislation that regulates ePrivacy in the EU.

The Privacy and Electronic Communications Directive 2002 gave people the “right to refuse” what “information” was stored on their device. This technology independent language had been interpreted to mean cookies.

An amendment in 2009 meant users had to opt in to having cookies saved by their browsers, rather than being given a choice to opt out. That led to the introduction of "cookie banners", a design pattern used to notify people about the presence of cookies on a website.

You’ve probably seen a bunch of cookie banners on your way here. Since the early 2010s, most websites from the EU show one. They come in different forms, with variations in copy length, tone and layout, but they're designed to do the same kind of thing: they give you choice about whether to accept or decline cookies from that site. In practice, many websites rely on implied consent, telling people that they consider continued use of the website a decision to accept cookies.

So far, action has rarely been taken under the legislation. In the UK, the maximum fine is £500,000, but no-one has received one. Some organisations have been fined in the Netherlands and Spain.

Both privacy organisations and developers have criticised the current regulation. Reliance on implied consent, particularly by the most popular websites, puts people in the unrealistic position of giving a service blanket consent to use cookies or not using a service at all in order to decline them. There is also small appetite for enforcing cookie regulations. The ICO received 195 concerns about cookies, compared to 167,018 for nuisance communications.

Npo Cookies
In 2014, NPO, the Dutch public broadcaster, was fined 25,000€ for not complying with cookie consent legislation. Their cookie consent screen now links to a page where people can specifically control what cookies are used for. (Photo: Screenshot/NPO).

What’s happening next

The European Commission have published draft legislation called the ePrivacy Regulation. It’s part of their Digital Single Market strategy, to harmonise the digital regulatory frameworks of EU member states.

It complements the upcoming General Data Protection Regulation by sharing definitions of terms like consent, and having the same fines for non-compliance.

In a press release, the Commission acknowledges the “overload of consent requests” around cookies and aims to “simplify” the rules.

The new rules mean consent isn’t required for cookies that are for website analytics or for the basic functionality of a website.

People will be able to choose between different levels of cookie use when setting up their browser, ranging from accept all cookies to accept no cookies. Websites must respect this choice, unlike Do Not Track which can be ignored.

Google Cookies
Google Chrome allows people to block and delete cookies on individual websites. Whatever design Google chooses to implement following the change of rules, the majority of people across mobile and desktop will use it. (Photo: Screenshot/Google).

What that means

The shift of getting consent for cookies from website owners to browser makers is the most interesting part of the new legislation. It presents an opportunity to relieve some burden from website makers and streamline people’s experience of using the web.

However, the regulation assumes that people’s relationship with every website is the same and that first party analytics are acceptable to all. If most users choose to have restrictive cookie settings, that could inhibit advertising networks ability to serve targeted ads, which is how most websites pay for themselves.

There are only a handful of browser makers. Each of them needs to make sure that people are able to make an unbiased, confident decision on how they want cookies to be used. Browsers need to be transparent about whether our cookie preferences are being respected by the websites we visit. This is the kind of thing Matt meant last week, when he wrote that trust is "about the way something is built and run".

The new legislation places a huge responsibility on browser makers to build usable patterns to get people’s consent for cookies. The EU Commission wants the new regulation to come into force next year, on the same day as GDPR. Between now and then, browser makers will have to think hard about how their products instil trust in users.

Were Hiring


We're on the lookout for a developer to join the team at IF. If you're interested, visit jobs.projectsbyif.com for more details.