EU ePrivacy Law

Google is to restrict web pages from loading 3rd party profiling cookies when accessed via its Chrome browser. Many large websites, eg major newspapers make a call to hundreds of 3rd part profilers to allow them to build up a profile of people's browsing history, which then facilitates personalised advertising.

Now Google has said that it will block these third-party cookies within the next two years.

Tracking cookies are very much in the sights of the EU who are trying to put an end to the exploitative practise. However the EU is not willing to actually ban such practises, but instead has invented a silly game about websites obtaining consent for tracking cookies.

The issue is of course that a lot of 'free' access websites are funded by advertising and rely on the revenue from the targeted advertising. I have read estimates that if websites were to drop personalised ads, and fall back on contextual advertising (eg advertising cars on motoring pages), then they would lose about a third of their income. Surely a fall that magnitude would lead to many bankrupt or unviable websites.

Now the final position of the EU's cookie consent game is that a website would have to present two easy options before allowing access to a website:

• Do you want to allow tracking cookies to build up a database of your browsing history
• Do you NOT want to allow tracking cookies to build up a database of your browsing history

The simple outcome will be that virtually no one will opt for tracking, so the website will lose a third of its income. So it is rather unsurprising that websites would rather avoid offering such an easy option that would deprive them of so much of their income.

In reality the notion of consent it not practical. It would be more honest to think of the use of tracking cookies as a price for 'free' access to a website.

Perhaps when the dust has settled, a more honest and practical endgame would bea  choice more like:

• Do you want to allow tracking cookies to build up a database of your browsing history in return for 'free' access
• Do you want to pay a fee to enable access to the website without tracking cookies
• Sorry you may not access this website

The EU has been complaining about companies trying to avoid the revenue destroying official consent options. A study just published observes that nearly all cookie consent pop-ups are flouting EU privacy laws.

Researchers at the Massachusetts Institute of Technology, University College London (UCL) and Aarhus University have conducted a joint study into the use of cookies. They analysed five companies which offer consent management platforms (CMP) for cookies used by the UK's top 10,000 websites.

Despite EU privacy laws stating that consent for cookies must be informed, specific and freely given, the research suggests that only 12% of the sites met the minimal requirements of GDPR (General Data Protection Regulation) law. Instead they were found to blanket data consent options in complicated site design, such as:

• pre-ticked boxes burying decline buttons on later pages multiple clicks tracking users before consent and after pressing reject
• Just over half the sites studied did not have rejecting all tracking as an option.
• Of the sites which did, only 13% made it accessible through the same or fewer clicks as the option to accept all.

The researchers estimate it would take, on average, more than half an hour to read through what the third-party companies are doing with your data, and even longer to read all their privacy policies. It's a joke and there's no actual way you could do this realistically, said Dr Veale.

White Rabbit: The EU Council is now in session. Dormouse: Anyone for a magic cookie. If you accept it you will be devoured by evil giants, if you decline, your community will be visited by pestilence and famine. Alice: That is an impossible choice. Mad Hatter: Only if you believe it is. Everyone wants some magical solution for their problem and everyone refuses to believe in magic. Alice: Sometimes I've believed in as many as 6 impossible things before breakfast. Mad Hatter: And we've legislated them into EU law by lunch

European lawmakers (including judges) seem to live in an Alice in Wonderland world where laws are made up on the spur of the moment by either the Mad Hatter, or the Dormouse. No thought is given to how they are supposed to work in practice or how they will pan out in reality.

For some reason EU lawmakers decided that the technology of internet cookies personified all that was bad about the internet, particularly that it is largely offered for 'free' whilst in reality being funded by the invasive extraction and exploitation of people's personal data.

Justifiably there is something to be legislated against here. But why not follow the time honoured, and effective, route of directing laws against the large companies doing the exploiting. It would have been straightforward to legislate that internet companies must not retain user data that defines their behaviour and personal information. The authorities could back this up by putting people in prison, or wiping out companies that don't comply with the law. 

But no, the EU came up with some bizarre nonsensical requirement that does little but train people to tick consent boxes without ever reading what they are consenting to. How can they call this data protection? It's data endangerment.

And unsurprisingly the first wave of implementation by internet companies was to try and make the gaining of consent for tracking cookies a one sided question, with a default answer of yes and no mechanism to say no.

Well it didn't take long to see through this silly slice of chicanery, but that doesn't matter...it takes ages for the EU legal system to gear up and put a stop to such a ploy.

So several years on, the European Court of Justice has now ruled that companies should give real options and should not lead people down the garden path towards the option required by the companies.

In an excellent summary of this weeks court judgement, the main court findings are:

• pre-ticked boxes do not amount to valid consent,

• expiration date of cookies and third party sharing should be disclosed to users when obtaining consent,

• different purposes should not be bundled under the same consent ask,

• in order for consent to be valid 'an active behaviour with a clear view' (which I  read as 'intention') of consenting should be obtained (so claiming in notices that consent is obtained by having users continuing to use the website very likely does not meet this threshold) and,

• these rules apply to cookies regardless of whether the data accessed is personal or not.

pdpecho.com commented on what the court carefully decided was the elephant in the room, that would be better not mentioned. ie what will happen next.

The latest court judgement really says that websites should present the cookie consent question something like this.

Website cookie consent
☐ YES	I consent to this website building a detailed profile of my browsing history, personal information & preferences, financial standing and political leaning, to be used to monetise this website in whatever way this website sees fit.
☑ NO	No I  do not consent

Now it does not need an AI system the size of a planet to guess which way internet users will then vote given a clearly specified choice.

There is already a bit of discussion around the EU tea party table worrying about the very obvious outcome that websites will smply block out users who refuse to sign up for tracking cookies. The EU refers to this as a cookie wall, and there are rumblings that this approach will be banned by law.

This would lead to an Alice in Wonderland type of tea shop where customers have the right to decline consent to be charged the price of a chocolate chip cookie, and so can enjoy it for free.

Perfect in Wonderland, but in the real world, European internet businesses would soon be following in the footsteps of declining European high street businesses.

The so called cookie law, a moniker for the proposed new EU ePrivacy regulation due to come into play before the year is out, is expected to severely impact the use of cookies online and across digital marketing. As such, it could pose an even bigger test to businesses than GDPR . It's a regulation that will create a likely deficit in the customer information they collect even post-GDPR.

Current cookie banner notifications, where websites inform users of cookie collection, will make way for cookie request pop-ups that deny cookie collection until a user has opted in or out of different types of cookie collection. Such a pop-up is expected to cause a drop in web traffic as high as 40 per cent. The good news is that it will only appear should the user not have already set their cookie preferences at browser level.

The outcome for businesses whose marketing and advertising lies predominantly online is the inevitable reduction in their ability to track, re-target and optimise experiences for their visitors.

...

For any business with a website and dependent on cookies, the new regulations put them at severe risk of losing this vital source of consumer data . As a result, businesses must find a practical, effective and legal alternative to alleviate the burden on the shoulders of all teams involved and to offset any drastic shortfall in this crucial data.

....

Putting the power in the hands of consumers when it comes to setting browser-level cookie permissions will limit a business's ability to extensively track the actions users take on company websites and progress targeted cookie-based advertising. Millions of internet users will have the option to withdraw their dataset from the view of businesses, one of the biggest threats ePrivacy poses.

...Read the full article from smallbusiness.co.uk