We are now several years into the changes in law which became known as the cookie law. Since then, the EU has enacted the GDPR which has added some urgency to ensuring that websites are compliant in the area of cookies and other stored information such as pixel trackers. The GDPR confirmed the consent requirements and national data protection organisations are taking an increasing interest in this area.

The basic requirements are that websites gain informed consent before storing cookies unless those cookies are what is termed ‘strictly necessary’. These strictly necessary cookies include those set in order to provide a service that the user specifically requested, for example to log into a website or carry out functions associated with shopping carts. It clearly does not include analytics cookies or the plethora of advertising and marketing cookies. Website designers may argue that their website will not function without cookies and where that functionality is a shopping cart I would agree. However, if the functionality in question is so the website can remember my shoe size this is not strictly necessary and I would expect to have to give my informed consent before such a cookie is stored.

Informed consent is key. It means that the user must be informed of why a cookie is being set and must then consent to it being set. And there’s the thing – I can permit the website to set cookies and consent to those cookies being set by advertisers such that they are also accessible to other websites, but I should not be forced to do so, I should understand what it means, and it should not be automatic. One may argue here that five pages of legalese indicating why a cookie is set is not a particularly valid way to inform the user.

There is also the issue of pre-checked options although this is lessened if there is a ‘reject all’ button as some websites have. Websites should not use pre-checked consent boxes but there is give and take here, in particular where the user can actively refuse cookies. However, to take the letter of the law the practice is not legal and you must not use pre-checked boxes in this way.

Cookies in the real world?

If I look at a product in a shop and an assistant comes to me and tells me there is an alternative, or better product then that presents me with no issue. However, if I then go to a different shop I do not expect someone to then show me products like the ones I just viewed in the first shop unless I specifically ask. And there is the difference, I can chose to ask or not. So why are tracking cookies any different?

And I certainly do not expect to go into a newsagents and pick up a paper only to have 33 sticky notes stuck on me from 33 other papers, each saying I do not want them to send me anything. Mind you, I don’t buy newspapers…

You must comply

This brings us to the question of cookie walls. Here, a website forces you to agree to their cookie policy before you can even see the website. In my opinion any such website should simply be ignored. Why, for example should I need to consent to it storing cookies just so I can see their email address or other contact details?

And I do object when I find a website that offers me a choice of some 400 advertising partners and lets me deselect each one, one by one. It’s far easier to just visit some other website. And let’s not get into discussion over the numerous websites which have a privacy and cookie notice hosted on some other website at a completely different URL which also sets its own cookies! One particularly famous website gave me a large privacy notice that I could not get past without either accepting or drilling down through layers of options. It was somewhat amusing to count over 400 partner sites that may get my data, and also drilling down further I got to a different, presumably parent website at a completely different URL. Needless to say this was an example of a US website.

Obfuscated messages

It is not always obvious how one even deselects cookies when consenting. The use of graphical sliders to allow or refuse cookies may be obvious when it is visually clear that green is go and red is not. So why do some websites chose shades of grey, and others just have a black slider with no indication of which way is off? This is not rocket science. Some websites use a simple tick box – surely that is sufficient? Can you imagine the problems in a fast food outlet where you end up with a spicy burger and a sugar laden drink because the options for ‘not spicy’ and ‘diet free’ were just black balls on a grey background?

Fighting back

So, to recap, cookies which are strictly necessary can be set by a website without consent when you visit it but these are a tightly defined subset of cookies which are actually necessary for a website to do what you want, not what it wants. Any other cookie must only be set once the user has given their informed consent. Cookies which store one’s choice here can be accepted as strictly necessary. Thus, a website storing a cookie to save your cookie choices for that website is ok as it is associated with you actually requesting something.

However, some websites, particularly media types take this to mean it is ok for each and every one of their partner sites to also set a cookie to save your choice. To me this is its bad programming – why are you causing my browser to visit each of your partner websites in order for each one to then store a cookie saying I do not want you to send me cookies from them? One newspaper website I visited and immediately selected ‘reject all’ on its cookie notice caused 33 individual cookies to be set.

It is sometimes amusing watching websites fail miserably when cookies are disabled in the browser. Some throw you off and demand you allow cookies, some struggle, some have no issues at all. I found one that displays nothing and constantly reloads itself trying to set a cookie. I suspect someone got their cookie sensing code a bit wrong there.

It is less amusing to struggle through a website’s cookie notice and deselect everything only then to be told I can get no further because I use an ad blocker. But wait, if the ad blocker checker is cookie based and I deselected cookies how come it even works?

Remember that tracking cookies are no use if they are not available when you visit other websites. So, for example you visit website A and you have no cookies set at all. Website A sets a tracking cookie served by website C. You then visit website B and it can read the tracking cookie set by website A and thus data about you can be transferred. But if you delete the cookie before you visit website B then that website cannot know. This is oversimplified but essentially is how you end up stalked by adverts.

Personally, I address this in a specific way. Cookies are always turned off on my phone. Yes, it means there are some things I cannot do because they require me to log in, but if I absolutely have to use the phone for those then I can quickly turn cookies back on, do the work, then delete the cookies. On the laptop I now use an app which allows me to chose what cookies I want to keep from each website I use. So, for example I can allow any login function cookies for the various web-based forums I visit. The app is set to delete any unwanted cookies after a minute or there is a button to delete immediately. Using this, I can visit a website and delete all its cookies right away. Of course, this is personal preference and suits me because I have always been security conscious. And other browsers have other mechanisms. I do recommend that you investigate something which suits you. I would also recommend that you take a look at what cookies your browser has stored, you’ll probably be amazed!

It’s not all bad news. There are some really well thought out websites out there. An example is where a website has a very simple line at the bottom, with cooke options not pre-checked and a button to accept or otherwise. Many, many websites run by organisations with insane amounts of money (and therefore buying power when it comes to website design) could learn from this.

Chocolate chip anyone?