As the Cookie Crumbles: Europe’s New Data Privacy Law

|

A European law concerning data privacy was voted through by the European Council on 24 November last year; it will be enforced across all 27 Euro states by April, 2011.

Seven months on it is still causing debate and controversy amongst the online community. And more recently Europe’s privacy watchdog, The Article 29 Working Party, has published its interpretation of the new law stating cookie consent can’t be implied by browser settings, meaning that advertisers are wrong to say that websites can comply with the law by relying on a user’s cookie settings.

So just what does this mean for site owners?

Browser Cookies Defined
Basically, a cookie is a text file so it isn’t able to ’do’ anything; they can’t read your system or watch what you do, nor do they record anything. As far as your system is concerned they are read-only files, similar to a Word document.

They are only ever edited via your web browser by the site which created them. Cookies are generally encrypted and usually only contain a unique identifier. The main thing to remember about cookies is that they don’t contain any information which you didn’t already provide to the website.

Cookies and Clubcards
Take a real life example like the Tesco Clubcard. This uniquely identifies you and tells Tesco everything that you have ever bought when you have used the loyalty card in-store.

However, Tesco can’t use it to tell if you have been into Sainsbury’s, how much you have spent there, or what your dog’s name is! In the situation that someone steals your wallet containing your Clubcard, they get a card with a unique number which is useless to them.

Cookies are identical to the Clubcard in this sense, yet how many people really panic about having a Tesco Clubcard?

“Oh, It’s You Again!”
Cookies are simply used so websites can say ’Oh, it’s you again,’ and remember things; in the case of Google this might be your search preferences, or Amazon might remember your shopping cart (once you have logged into the site) so you don’t receive recommendations for items you’re not even remotely interested in, say the new Saturdays album in my case.

There is nothing really sinister about what a cookie can do; they store the information which you told the site in the first place.

Much of the superstition surrounding cookies is due to lack of understanding of their real benefits. The impending legislation means that cookies can only be set with prior consent of the visitor or ’data subjects’ as we’re fondly referred to by the EU Working Party. European companies will need to ask consumers’ permission to set a cookie. If you say ’yes’ then the site will set a cookie and off you go.

Cookies Often Needed for Critical Functionality
When cookies are required for business critical tasks, like maintaining your shopping cart, a problem arises if you say ’no’ to cookies. This is the only way that websites can ’remember’ and since you told the website that it can’t set a cookie the next time you visit the site it will need to ask you the same information again, and again and again, yes that’s the same questions every time you visit the site.

Even worse, according to the letter of the law (or at least the new directive), this has to happen every time you visit a site.

You could start your visit to a site on one of its many pages, and if you’ve opted against the cookie, the site is going to have to ask you on every page of the site, since it has no way of remembering that you said ’no’ on the previous page. It sounds laborious doesn’t it?

Three Alternatives, All Bad
The potential issues with cookies have been known within the industry for some time. Several alternatives have been suggested; all fall foul of the directive, which uses the terms ’the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’.

Like a Fighting Fantasy role-playing novel from back in the 80s, site owners have one of three choices:

1. Stop using cookies. OK, but all of your analytics (and those of your partners) will suffer a major drop-off in accuracy. You can kiss goodbye to any affiliate income, and probably to any kind of quality advertising income. If that’s your model, you will be back to blanket coverage, instead of any kind of targeting. Additionally, lots of visitors are actually going to be puzzled and confused about why you no longer remember them and why the site ’doesn’t work properly’ any more.

2. Implement cookies as normal, but ask every visitor if they consent. Assure those visitors who get horribly annoyed by the fact that your site has become unusable that this is so that you can comply with EU legislation.

3. Use other information. Research by the Electronic Frontier Foundation has shown that information readily available from the browser such as version, plug-ins and more, can uniquely identify many visitors — upwards of 80% — without the need for cookies. Since this information is passed by the browser automatically (unless the user chooses to block it) and doesn’t require anything to be stored on the users’ machine, you wouldn’t need to get consent. The problem with this is it shows the short-sightedness of the legislation; this approach clearly doesn’t break the letter of the law, but it is questionable whether it adheres to the spirit.

Cookies are essentially benign and their use is typically beneficial or at least neutral to the visitor.
It would be fantastic if the future were as simple as a Fighting Fantasy novel where we could see the impact of our decisions today on the future, yet this isn’t possible and cold prediction increasingly looks like this recent legislation will render cookies unusable, which will have serious implications to doing business in a digital environment.

(This article was originally published in Marketing Week, UK on July 9th. And yes, I was tempted to make a joke in the headline about translating “cookie” to “biscuit.” But everyone knows that those jokes are better placed in the editor’s note at the end. -Ed.)

  • http://www.webtrends.com Conrad Bennett

    @Nikola: Thanks for the comments.

    The article was written with a marketing, analytics or general consumer audience in mind, so while I appreciate your comments about some of the technical aspects, it wasn’t my intention to go into that level of detail.

    1) Encrypted should really say ‘cryptic’ – i.e. they don’t generally contain clear text values which would make sense to an average visitor.

    2) You make a very valid point about session riding, however as this relies on other compromises to browser security to be used (i.e. XSS or similar), it’s likely to be a very minimal threat to the vast majority of users. Which is not to dismiss it, but cookies in that context are no more dangerous than a password – the fact that the password can be harvested by malicious code is a weakness of the browser/application, not the use of passwords.

    3) Again, you make a valid point about logged -in visitors. However before logging in, cookies are by far the most common method used to ‘remember’, particularly across sessions.

    4) It will be interesting to see how the whole web design and development community responds to the challenge – however, with the recent legal challenges to Flash LSO use, and with the (I suspect deliberately) generic wording of the EU legislation, it’s going to keep people busy for a while, and at this point not many are rushing to deal with it.

    Thanks again for the input!

  • http://enikola.de Nikola

    P.S. Just to clarify. The core of WordPress itself might not be prone to XSS, but WordPress’ plugins are.

  • http://enikola.de Nikola

    I’m sorry, but this is a poor article with false statements. I doubt the author ever bothered to research the technical aspects of cookies.

    1) Cookies are not encrypted, unless the web site applies some sort of a symmetric encryption, which is a very expensive task that would degrade performance. Therefore web sites don’t implement encryption. And yes, cookies may contain whatever information the web site wants, cookies are not restricted to session identifiers, nor to salt random strings.
    2) I guess the author never heard of “session riding” and “session fixation”. Both attacks rely on stealing user’s cookies. So, yes cookies are dangerous if a web site doesn’t apply protective measures against XSS, which is quite often the case. WordPress, the very engine you’re running your blog on, isn’t protecting you against session riding.
    3) Once a user is logged in, the web site can very well “remember” every single choice the user makes. The statement in the article is a complete BS. Cookies may not be used for storing sensitive information and web developers are aware of that, at least the good ones. A web site’s “memory” can be complettely cookie-free.
    4) It is true, having no cookies would break current analytics and user tracking tools. But rest assure engineers are smart people and they will find another way of implementing those tools.

    There are also other wrong statements in the article, but right now I don’t have even the slightest intend to point every single one of them. Looks to me the article is written by a person scared to lose his job because without cookies web analytics tools are useless.

  • Pingback: Antonio Negro » Nuova Legge Europea sui Cookies

  • http://www.mackerelmedia.co.uk Nick Craig

    I find it rather ironic that on the day I read your article about the EU’s (rather misguided) attempts to improve privacy, the Guardian publishes an article setting out just how easy it is to stalk someone on Foursquare, or rather just how willing the general public is to give away private details to the world at large.

    Whilst I don’t disagree with the laudable principle of protecting data, particularly in light of some very worrying recent incidents, it seems crazy to implement a ‘ban’ (I know that’s not strictly the case) on the use of cookies to solve a privacy problem. What’s next? Stop credit card fraud by banning credit cards? Surely we’re better to have more effective policing.

  • http://www.webtrends.com Conrad Bennett

    @Nick: That’s actually the link to the original legislation from 2002, it has since been modified and that clause is no longer valid except for specific examples such as Shopping Carts. Persistent logins for e.g. Banking applications should still be permitted, but other uses have been specifically called out as not appropriate, including behavioural tracking.

  • Pingback: Cookies or Biscuits, Nobody Likes Mandatory Pop-Ups | Thursdays

  • Nick P

    Come on Conrad – we all know you’ve got everything the Saturday’s have ever recorded!

    However on a serious note, I’m not sure this is such a problem. Point 25 in the above linked law states:

    Where such devices, for instance cookies, are intended for a legitimate purpose, such as to
    facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity
    to refuse to have a cookie or similar device stored on their terminal equipment.

    Reading the above I don’t see how this is going to change things from today. Companies can claim storing the cookie is a requirement for providing personalised information, include details in the site’s privacy policy (as they should now) and include details/a link on how to block cookies in case the user wants to do that.

  • http://www.menggoh.com Meng Goh

    The impact will be beyond web analytics, also publishers depending on advertising revenues. The core of the ads money making is base on the ability to add value to the inventories (aka bahavioral targeting). Inability to use cookie = complex algorism to find “you”, and very fast processing to serve relavant ads. We just have to keep pushing innovation as cookies are dying, not to mention horriblely inaccurate for any sort of longtitudinal studies.