Shortbread cookies lined up on a wooden picnic table - Cookie consent concept
PHOTO: Shutterstock

If there is one common element that is annoying the users of our many diverse websites as we glide into 2020, it's the proliferation of cookie-consent alert banners that have been put into effect. The alerts have been triggered by two iterations of privacy laws enacted in the Europe Union, the latest of which was enacted in 2018 and is entitled the General Data Protection Regulation or GDPR, along with an upcoming law called the California Consumer Privacy Act or CCPA. The issues talked about in this recent article illustrate why there is a need for greater concern over privacy issues, and are the exact reason why legislation has been passed that addresses the use of cookies being used to create user profiles that are then used for targeted advertising, and the problems that can ensue. The alert banners that are now so prolific are a somewhat feeble attempt to comply with these regulations without being overly intrusive, but unfortunately, they are still somewhat obnoxious and are not very effective.

The GDPR reiterates the regulations concerning the use of cookies mentioned in 2002's ePrivacy Directive (EPD), which itself was updated in 2009, and was scheduled to be replaced in 2018 by an updated and expanded version of the EPD entitled the ePrivacy Regulation (EPR).

GDPR and Cookies

The GDPR only mentions cookies in one paragraph, identifying how they may be used as tracking devices to associate a person with their website travels and thus abuse their privacy through the creation of a usage profile, “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

The GDPR implies that one must “document and store consent received from users,” but as it is almost impossible to “store consent” from casual users, many websites have complied by simply placing the cookie-alert banner intrusively on the page, with the consent being given by simply clicking to make the alert banner disappear. The GDPR also implies that a website must “allow users to access your service even if they refuse to allow the use of certain cookies.“ In most cases, a user's web browser settings are considered an acceptable means of withdrawing or refusing consent, and if they refuse to agree to the cookie-consent banner, they are still generally able to view the page, albeit with an annoying cookie-consent banner at the bottom of it.

Related Article: GDPR: What You Need to Know About the Right to Erasure

ePrivacy Directive (EPD)

The EPD was much more specific, and specified the rules that must be followed for tracking, confidentiality and monitoring, again requiring a person to provide informed consent before cookies are served to their device — and they must be informed if the cookies are going to be used for tracking. If the cookies are not to be used for tracking or profiling, but rather are a provision of the service of the website, are used for statistics by the website or a third-party statistic service such as Google Analytics, they are exempt from the consent requirement — but the user still needs to be informed of the use of cookies via a cookie policy. This is usually accomplished via a link to the cookie policy within the cookie-consent banner.

CCPA

California's CCPA, which is likely to be enacted in 2020, further strengthens the European Union's regulations, and has the same sort of restrictions concerning the use of “unique identifiers” such as cookies and IP addresses, as well as the notification requirements and opt-in/out functionality of the GDPR and EPD.

Related Article: Why GDPR Is Still Creating Problems in the Enterprise

GDPR Compliance Industry?

A proliferation of GDPR-compliance companies have sprung up, complete with compliance tests on their sites and what they are calling "cookie management solutions" via scripts, plugins and services to ensure that a website is in compliance with both the GDPR and EPD without being overly intrusive.

Final Thoughts

From a user's perspective, most of this is irrelevant. Their experience is slightly marred by the use of such alert banners, but just as with intrusive overlay ads on website and video ads within YouTube videos, users have adapted to the indignity and annoyance factor. From a business perspective, however, it makes sense to ensure that as long as we’re protecting our user’s privacy as well as covering the requirements of the GDPR and EPD, we do so in a manner that doesn’t drive them away from our content, and the cookie-alert banners so far seem to be the best compromise. In the long run, the privacy regulations will only keep coming, and we will either be in compliance or face major fines for not being compliant.