Sharp observers may have noticed that most notices don’t give you any other option anyway. There’s not usually a cookie-free version of the site or an item-by-item menu where you can adjust your preferences. In a word, your clicks on simple“cookie disclaimer” boxes don’t actually do much. That might change in the future, though, as active “cookie consent” forms are now the EU’s legal standard.

What are cookies, and why are we worried about them?

Browser cookies are simply text files that get stored in your browser when you visit a website so it can keep track of what you’re doing as you move around. Less fun than edible cookies. Some, called “technical cookies,” are pretty crucial to most modern websites since, without them, it would be pretty difficult for the site to do things like save your cart, keep you logged in on different pages, remember your preferences, etc. Let’s call these cookies “chocolate chip,” since you can safely assume that pretty much everyone wants them. The EU’s data laws don’t limit these. The analytics and tracking cookies, though, are more like oatmeal-raisin: given the choice, you probably wouldn’t eat them, but the people who make them really like them and keep trying to trick you into taking some. These cookies are there to collect data about you and report it to an interested party. That can be the site itself or third parties like Google, Facebook, Disqus, and any number of other advertisers looking to learn more about you and your behavior. These are what the EU is targeting. These cookies aren’t vital to site functionality, but they do provide important information for sites and companies, as they help monitor how users interact with products, services, and site elements. Tracking cookies are also very important to companies whose business models rely on knowing how to sell you stuff (i.e, advertising), which is what rubs a lot of privacy-conscious users the wrong way.

According to European privacy laws (GDPR, ePrivacy, etc.), sites that put non-essential cookies in your browser technically have to ask you to consent before they do it. Some cookie consent boxes do work this way, but most of them currently load the cookies without permission and then let you know they exist after the fact. A cookie consent button with actual functionality is the exception rather than the norm. In fact, a 2019 study by a team of researchers from Ruhr University Bochum (Germany) and the University of Michigan (US) found that 86% of surveyed sites offered no options other than a confirmation button (like “Accept”) that didn’t affect the cookies on the site at all. They also found that most sites were trying to nudge users toward consenting, and very few gave users a way to opt out short of leaving the site completely. In short, most cookie consent boxes are, as of right now, not keeping sites from tracking you with cookies. If they provide an interface where you can set your cookie preferences, they’re probably GDPR-compliant, but if they just have a box with a highlighted “Accept” button, you probably can’t avoid cookies without installing some sort of browser extensions or just exiting the site.

All the rules and regulations get pretty confusing, but here are the broad strokes. 2002: The ePrivacy Directive requires EU-based sites to get user consent before serving them cookies. Eventually, this turns into the “Hey, we use cookies” banners and pop-ups we all know and love today. 2018: GDPR comes into force and starts imposing consequences for non-compliance. Sites come under more pressure to get active consent from users rather than just warning them. 2019: Europe’s top court rules that pre-checked boxes in cookie consent forms don’t constitute consent, meaning sites now legally have to get people to actively consent to cookies — no tricks. Ironically, at the time, the court’s own website wasn’t compliant with this rule, which tells you something about how this is being implemented.

Legally, sites that aren’t in compliance with these rulings are supposed to get in line ASAP. In reality, these requirements will put an extra burden on sites that, if past implementation rates are any indicator, won’t lead to very quick adoption. That’s probably due in no small part to the fact that cookies are a great way to check up on how users are interacting with a site, which can translate directly into better sites and higher profits. There’s quite a bit of concern that overly-rigorous regulations could be quite onerous for sites and could also negatively affect user experience. That’s why there’s some noise about possibly putting settings in browsers that sites can detect and automatically make adjustments for, which would be a much more streamlined solution. Ultimately, though, the whole cookie debate might prove moot. If cookies become an untenable tracking option, we may start seeing the spread of harder-to-block methods like browser fingerprinting. Workarounds and innovations often get standardized if there isn’t a better solution, and cookies and user tracking probably won’t be an exception. Image credits: Cookie Consent