• Author:Tom du Pré
  • Comments:6

The case against cookie consent header solutions

A new micro-industry has appeared with products that claim to make your website instantly compliant with the cookie law. There has been much confusion and dismay about what this practically means to website operators. To take advantage of the apparent difficulty in making websites compliant a bubble of new companies has formed offering products that claim to make your site compliant. These are bold claims indeed.

These products take the form of page headers, pop-up box dialogues or overlays but in almost all cases these consent products aren’t the solution, and are not able to offer out of the box compliance with the cookie law. Of course each of the products are different and suffer to a greater or less extent with the problems described below, but I don’t think any of them address all the concerns I’m about to describe.

Usability and accessibility

Website operators and users have spent the last decade almost completely eradicating the popup window. Users are very turned off by popups, homepage take overs and anything else that stops them doing what they want to do when they arrive at a website. Many users have popup blockers on their browsers and some browsers come with this option enabled by default. It is a shame that all the consent products rely, to a greater or lesser degree on interrupting the user from achieving what they came to the website to achieve. There’s plenty of ways of reducing the usability of a website and this has got to be one of best. You should seriously think about the usability implications of any consent solutions and how your users will be affected

Designers are constantly under conflicting pressures to fit as much as possible on webpages but simultaneously make sites that look clean and uncluttered. Every pixel counts. The catch 22 is that if your consent product is big enough to be noticeable it will dominate the page and look horrid, and if it’s discreet no one will see it. TThe law is not intended to drive your customers away and make it hard for you to do business but intrusive consent dialogues will almost certainly increase your bounce rates and reduce your traffic.

Many of the consent products would, if implemented put sites in direct violation of existing accessibility laws. If you are trying out any of these products, try doing so using a screen reader to simulate what partially sighted people using your site would experience. If you don’t have a screen reader, try using them without using your mouse! It’s clear that the ICO don’t want you to comply with one law but start breaking another one in the process.

Delicious irony

Consider this:

  • The cause of most of the perceived problems around cookies is sites that host 3rd party code (typically advertising, or “free” widgets) which set cookies that are used by the 3rd party to track browsing behaviour.
  • The proposed solution to the perceived problems around cookies is for sites to host 3rd party code (consent products, this time) that set cookies that can be used by the 3rd party to track browsing behaviour, and can potentially read and log all the cookies your site is using including both 1st and all 3rd party cookies.

I’m not suggesting for a second that any of the products on the market are themselves a form of spyware. But it is fair to say that if you did implement such a solution on your site you will be wanting a cast iron contract with the provider about what data they collect from your site. Therefore sticking yet more supposedly free 3rd party code on to your site probably isn’t ideal.

Search Engine Optimisation

Lots of sites spend lots money and effort on their search engine ranking. Before installing any of these consent products you would be well advised to understand what impact they would have on search engine spiders indexing your site. This is particularly concerning for the products that stop the user from accessing the site at all until the checkbox has been checked. The search engine spiders won’t be able to check these boxes and might therefore be preventing from indexing your pages. You also want to be careful that the text in your cookie header doesn’t end up getting used by the search engine as the description of your site.

Avoid paying one company money to help search engine spiders index your site, at the same time as paying to another company money to stop the spiders indexing your site.

Reliability

Another big downside of relying on 3rd party code is that you are dependent on that 3rd party to be totally reliable and available. For example, one of the consent products that will remain nameless recently suffered an outage affecting all their customers. If you believed that the product made their customers’ sites compliant, then the sites would have been non-compliant during that outage. The outage was related to February 29 being the extra day in the leap year which, and I quote, “…was an unforeseen [sic] special situation that will never re-occur.”

Consider whether or not you are happy to rely on a 3rd party’s services being available to make your site legal.

Accountability and indemnity

Let’s say you decide to use one of these products but the worst case scenario happens and someone complains, the ICO upholds the complaint and fines you half a million pounds. (Massively unlikely by the way.) You have put all your eggs in one basket and the handle has just broken. What does your contract with the provider say? If they have guaranteed compliance, I would expect them to be paying the fine and any other costs for reputational damage and loss of business that you would have incurred in such a situation. Does the provider have sufficient indemnity insurance to cover paying out these costs to all their clients? If they are unable to offer a contract with this strength of guarantee then their product is worthless at best.

“Free consent solution! 100% money back guarantee!”

Cute cookie icons everywhere

Many (not all) of the products involve placing their cookie logo on your page. The intention is to create a recognisable icon that appears on lots and lots of sites that people will recognise and each product is hoping that their icon will become the new kitemark for cookies. Somewhat unimaginatively many of these are variations on the theme of a cute picture of a choc chip cookie. A company who has spent huge sums of money designing and developing a website to promote their online brand should be unwilling to allow someone else’s cookie logo to infringe on that brand. Can you honestly imagine a deadly serious financial news site being happy to stick a cartoon biscuit next to their 200 year old masthead? How about a site about weight loss and diet issues? There is also a question about the value of the real estate on a company home page. If your website gets lots of traffic, any other company who wanted to put their logo or ad in your header would have to pay you a lot of money. But these cookie icons want to get that exposure for free, or even charge you to place the logo there. And they get access to all your analytics data!

Freely given, specific and informed consent?

None of the cookie consent products adequately explain what they are asking consent for. (Admittedly most are configurable so you can put your own words in.) The copy writers have my sympathy because they’re trying to explain something quite complicated to people who don’t know or care much about it. The law requires consent to be freely given, specific and informed, i.e. the person knows exactly what they’re consenting to and is not coerced into accepting something they don’t want. To express freely given specific informed consent on a site that uses the common cookie types, must be able to prove your user has:

  • Understanding of how data collected by web sites is used to personalise or enrich the experience
  • Understanding of website analytics and what data is collected and by whom,
  • Understanding of online behavioural advertising and what data is collected and by whom,
  • Understanding why they are being asked for consent and why this all matters,
  • Understanding what happens if they don’t consent.

You can’t assume all your users will have all this knowledge. (Although it would be sensible to give this information somewhere on your site.) Trying to convey all this in a few lines of copy that will fit in a popup or page header doesn’t seem to be possible. Many have tried, all have failed. It’s much easier to just ask for consent to use cookies without much or any explanation of what that actually means, and this is what the consent products typically do.

However you choose to seek consent, it should focus on the real world implications of the data that is collected and used, not on the mechanism used to do it. If it’s not specific and it’s not informed, it’s not consent.

Babies and bathwater

Several, though not all of the products block all cookies until consent (whatever that is) has been given. But because the consent products don’t know what the cookies on your site are for, they block all the essential cookies that are strictly necessary to enable a service specifically requested by the user (the ones that are exempt from the law) as well as the non-exempt cookies. This is un-necessary, and just makes you site function worse than it needs to. To a slightly lesser degree this is also true of analytics cookies that are blocked. The Information Commissioner’s Office (ICO) have made it very clear, in writing, that they are not overly concerned about analytics cookies provided they are used for anonymous, aggregated analysis and you talk about how you use them in your privacy policy. Therefore the products that focus on blocking Google Analytics cookies are selling you something you just don’t need. Likewise people who try to sell you cookie-free analytics programs on the basis that your current analytics solution is somehow going to land you with a £500,000 fine. It won’t.

It is the ICO’s job to enforce this law it is their opinion that matters. I beseech you to read their guidance before blocking your analytics cookies.

Cookies to store cookie preference

More irony. Technically, under the law, it would be permissible to use a cookie to store a “don’t give me cookies” preference, because that preference cookie could be considered exempt under the “strictly necessary to provide a service (i.e. the cookie preference) the user has specifically requested” exemption. This has inevitably raised a chuckle or two. But the irony isn’t the problem here. The problem is that using cookies to store cookie opt out preferences will over time, train people to never delete their cookies, exacerbating the original problem. Imagine you spend a month of normal browsing dutifully accepting or more likely declining invitations to consent to cookies. Life gets pretty good for a while, because the sites you visit regularly remember your preference (with a cookie) and stop getting in your way with popups and headers asking for your consent. Then one day you notice that some undesirable ad is following you round the internet and you want to stop it so you delete your cookies. Whoops. All your preferences are now lost, and you have to spend another month exposed to all the headers and popups asking for consent again. That will probably be the last time you ever delete your cookies and your computer will get increasingly full of stuff that is tracking you without your knowledge or control. The complete opposite of what the law intended.

What’s behind that “I consent” button?

A culture where web popups are more and more common could result in an increase in viruses. You might think you’re clicking a bona-fide consent button, but you might actually be clicking something dressed up to look like a consent button but is actually “click-jacking” you and getting you to download something horrible. This is not just a scare, it’s already happening. One of the consent products on the market at the moment triggers an AVG virus alert when the button is clicked. It warns of a “Blackhole Exploit Kit”. It’s worth Googling this and asking yourself whether you would want that on your website.

Not a holistic solution

Be very sceptical of anyone who claims they can make your website instantly compliant by simply adding their header/popup code to your site. It’s a bit more complicated than that.

Some of the products offer more of a holistic solution than others including consultancy and audits which is to be encouraged, but most claim out of the box compliance. One even has a picture of a boxed solution on their homepage. Very few of them offer any appropriately qualified legal opinion. Before even considering such a sticking plaster approach, you must do the following things, as a minimum:

  • Do an audit of your cookies. Understand what your site is setting, and what you are using them for.
  • Get rid of any obsolete cookies.
  • Critically assess the timeouts on your cookies. Do they have ridiculously long expiry times? If so shorten them.
  • Understand what third party cookies your site sets. What contracts do you have in place with these third parties to ensure you are happy giving them your customers’ browsing data and what benefit do you get from this? Or do you just haemorrhage your customers’ data to all and sundry without control? If you do, stop it.
  • Make sure your site’s privacy statement is as good as it possibly can be, explaining what data is collected, how, by whom and what it’s used for. Provide information about how to delete or opt out of the cookies your site and your third parties set. Make this page really really easy to find. A link in your global top nav bar should do the trick.
  • Consider sign posting links to your privacy statement at other points when cookies will be set, and tell people when they are doing things that the site will store or remember.
  • Ask people to formally accept your privacy statement at key points in your site, for example registration.
  • Keep a note of all your conversations, decisions and actions. The ICO have said they will take into consideration the amount of effort that companies have spent when investigating any complaints, so you’ll want to have some evidence of your hard work.

If you haven’t done these things, the only wording you can really put in any consent header or popup is:

“Please consent to this website not really understanding what it is doing with your browsing data, and confirm you’re ok with us doing whatever it is we do, and whichever third parties we use doing whatever it is they do.”

This is not, by anyone’s reckoning, compliance with either the letter or the intention of the law.

Dog analogy

Imagine you get a dog from a rescue centre. (I am assuming you are the kind of lovely person who would do such a wonderful thing.) You don’t know the dog’s history or temperament and don’t really know whether it is prone to biting postmen or not. So what do you do? Do you either:

  1. Get to know the dog, train it to behave, make sure it is under control and your garden has adequate fences to separate it from visitors and keep it on a lead when out for a walk, or
  2. Just put a sign on your gate saying “Beware of the dog. Enter at your own risk”.

Which of these two options protects people from getting bitten and protects you from being sued by people who got bitten? Hint: It’s not the sign.

Conclusion

I’ve tried to avoid using the words huxters, or snake oil in this article because there are some companies out there working hard to provide good, holistic solutions that don’t rely on fear or misunderstanding. It’s pretty clear who these are. However, Your website will almost certainly not instantly comply with either the spirit or the letter of the law by quickly installing some code that generates a header or a popup with some text on it. Whilst some of these products may, in some very instances, have their place as a contributing factor in your overall approach to compliance, on their own they almost certainly won’t help and in almost all cases will make you site worse.

As a final note, many of these products are being sold as “solutions” but they can’t claim to have solved anything yet. When the ICO start enforcing the law we will be able to see what sort of sites they target and which they hold up as shining examples of compliance. My prediction is that the ICO will be entirely uninterested in whether or not you have a pop up or a page header on your site so long as you are being  open, honest and transparent about your cookies and help our users make informed choices about them. If you’re doing that, my bet is that the ICO will only really interested if your site collects users’ medical records (or similar) and then you leave those records on a bus.

Article by Tom du Pré. @EUCookieBoy

Index of links:

Could the EU cookie law be harming web accessibility? by James Coltham
The EU Cookie Law and its “punishments” by Heather Burns of Idea15 Web Design
Phil Pearce’s thoughts about popups as posted on eConsultacy article comments.

Tweet about this on TwitterShare on FacebookDigg thisEmail this to someoneShare on Google+Share on LinkedInPin on PinterestShare on RedditShare on StumbleUponShare on Tumblr