Carlos Fenollosa

Carlos Fenollosa

Engineer, developer, entrepreneur

Carlos Fenollosa — Blog

Thoughts on science and tips for researchers who use computers

The ignorant EU cookie law

March 18, 2014 — Carlos Fenollosa

It is 2014, and many webmasters still don't know that there is a new EU law which regulates cookies and other data stored in user computers. This is part of a noble effort to protect user privacy, which, well, I personally support.

Unfortunately, the actual law is technically incompetent and does nothing for user privacy while placing a lot of responsibility on webmasters and costing them a lot of time and money.

Put it another way, this law wants to protect users by forcing spoon merchants to inform clients about the chance of being harmed by a spoon while ignoring knife, drug or gun merchants. It's useless.

This uselessness and absolute ignorance of how the Internet works is costing EU webmasters a lot of time and money. In my case, I counted them, about ten hours. For large companies, it can be a lot more.

Why am I against this law? Why do I say it is useless?

It doesn't protect user privacy

Cookies are not the only way to track us. Modern methods use just Javascript (i.e. the Facebook 'like' button) and leave no data on the user's browser.

Furthermore, the browser itself can be used to uniquely identify you. Test it

What's worse, it says nothing about doing analytics with personal data, like the IP.

And how could we forget the fact that it is the governments themselves who are spying on users? How on Earth need cookies legislation if the UK and US just steal pictures from our webcams, data from our emails and information from our text messages?

Our legislators must be absolutely ignorant or absolute hypocrites to regulate cookies while governments spy on us. I'm not sure which one is worse.

Cookie management was solved 20 years ago

Let's assume that the previous reason wasn't valid. Let's assume cookies were a real menace to user privacy.

Well, this problem was solved since IE4, when browsers invented the cookie warning popup window.

Managing cookies in the browser is the best idea, for many reasons:

  • It is a central tool to manage cookies.
  • Display a common interface for all cookie warnings. With the current law, every webpage displays the notification with a different style and location: on top, on the bottom, on a side, on a popup. Visitors don't know where to find it.
  • We should trust user software instead of website policies. What if a website was using cookies to track me? Should I trust them? Would it solve anything that they had to pay a fine if they have already stolen my data? Concerned people should use trusted browsers, and hardened open-source operating systems, if possible. To state an example, Facebook would earn more money by breaking this law and spying on us with cookies than the fine it would have to pay if they get caught.

It confuses users

I did a quick survey with some non-technical people, asking them if they had seen this "cookies notice". They said they had. I then asked them if they did understand what it meant. They didn't.

Modern UXs have overwhelmed us with notification windows, up to a point that we just click on "dismiss" without even looking at them. Well, we should read the text, but the truth is that many people don't. Instead of arguing over what should be done, let's try to avoid contributing to the too-many-notifications problem, and just solve them on the browser.

By the way, I bet that the most clicked button on IE6 was the "Accept all cookies, do not bother me again" checkbox.

It costs people a lot of pain and money

Let's imagine there are a million websites in the EU. Let's imagine every webmaster takes, in average, 8 hours to adapt each to the new cookie laws. Let's imagine the average webmaster cost is 50€/hr

This useless law has costed EU companies and individuals 400 million euros. Nice way to impulse the internet economy.

Different countries have different requirements

In the UK, it is enough to provide a notice to tell users that the website uses cookies.

About ten years ago, browser developers decided to remove the UX label that notified the user when cookies were received because they thought there was not much to show. Now we have to implement them again, on a per-site basis. Outstanding, given that the cookie is set anyway.

Bad as it is, in Spain, a website can't set cookies unless the user accepts them, either by scrolling or clicking a link. At least, well, the user is "protected" by default, even though the technical solution is harder.

Helping the community

Angry as I am right now for having wasted ten hours of my life implementing a useless law, I thought the least I could do, besides writing a rage post, was to share my solution.

You can go to Github and download the sample I prepared. It's the same code that you can see running here if you noticed the banner. It might not be the best, but at least it gives webmasters a starting idea, and no-PHP, 100% HTML+javascript routine to run all Analytics and cookie-dependent code.

To summarize my implementation, it consists of a javascript file which handles the cookie banner, sets the actual cookie when the user gives consent, and also manages some exceptions. Unlike most of the solutions I found, which only display the banner, this code does actually handle cookies.

Check it out, and please, feel free to send pull requests and discuss its issues.

Final thoughts

I think my points are quite valid, and this is actually a useless and annoying law that serves nothing and costs money. If the regulators had consulted a competent panel, they would have learned that the cookie law does not serve their noble intention of protecting users.

The root problem, again, is that our politicians don't have the slightest idea of how the internet works. These are the same guys that now must decide on the fate of the internet as we know it.

I don't know about you, but I lost all my hopes long ago.

Did my code save you any time and money? Please donate it to the EFF.

Tags: law, web

Comments? Tweet