Sane GDPR cookie management02 May 2022
I have been working on GDPR-related issues recently, and I need to vent a little. While it might be a good thing that the privacy concerns, that led to GDPR, were raised by lawyers, unfortunately the implementation was left to lawyers, too. Let me rant first and talk about a solution afterwards.
Cookie banners and popups
<rant> Who in their right mind would look at the issue of cookie consent and come up with the most awful of web inventions: modal popup windows, that can only be removed by scrolling down to the button that says ‘Consent’ next to a button that says ‘Consent, but in detail’? What mix of ignorance and misanthropy is required for this to be the state-of-the-art in cookie management?
Why, during the implementation phase of GDPR, didn’t anyone listen to just about any web professional that could have told them: ‘this is going to be a disaster for companies, for web designers, for web masters, and most importantly, also for users.’?
I’m imagining it was a solution put forward by lawyer offices and consultancy companies, that could already hear the opening of thousands of legal and marketing departments’ wallets all over the world, scared by this new European tsunami of Fear, Uncertainty and Doubt. “What are these cookies? Are we using cookies? Yes? Aaaaaarhg! Just throw money at it, so it goes away!”
Adding to this FUD atmosphere is an avalanche of GDPR-related lawsuits and fines in almost every European country. Dailybits has a nice overview (NL). Some of those cases tackle real problems (direct marketing to minors), some I would categorize as ‘petty’.
This quote of Ethan Zuckerman words it very well:
It’s obvious now that what we did was a fiasco, so let me remind you that what we wanted to do was something brave and noble.
if … was implemented like GDPR cookie management
- problem: too many people are dying in car accidents, we have to make it safer to drive.
- engineers: let’s create the 3-point safety belt (thank you, Volvo ), and make people always wear it. Let’s design the car in such a way that it can absorb the energy of a crash without harming the driver.
- GDPR: “let’s make a button in the rear trunk that says ‘I will drive carefully’, and before every drive, the driver has to push it twice. The max allowed speed is 50 km/hr and if the driver has an accident while going faster, the car dealer pays for all damages.”
Credit card security
- problem: credit card numbers can be stolen, too many fraudulent payments have to be cancelled and reimbursed.
- engineers: use public key cryptography and execute it on a tamper-proof chip inside the credit card that can only be accessed with a pincode and/or biometric authentication.
- GDPR: “so, every time you want to make a payment to a new entity, you first have to read their annual statement, if you like it, call your bank to declare them as a new payee, and then you get a 19-digit pincode specifically for this payee. If there’s a typo in the annual statement, the bank burns down the payee’s offices.”
Sensible cookie management
in the browser
Well obviously, the logical place to manage cookies is in the browser. The browser receives cookies from web servers and can decide to save them or not, and to present them to the same/other servers or not. Just like password management, cookie management should be built into the browser.
Oh wait, it is.
All browsers have cookie management built in. The EU only needs to instruct Google (Chrome), Microsoft (Edge), Mozilla (Firefox), Apple (Safari) and some smaller vendors, how they want cookie management implemented. All browser vendors want to offer privacy protection, even Google. Why choose to burden millions of web masters if it can be fixed in the browser? Cookies are a technical HTTP implementation detail. There is as much need for cookie consent as there is for IP address consent, DNS consent or User-Agent consent.
Let’s have 4 settings:
- PARANOID: no cookies whatsoever. You won’t be able to log in anywhere, some sites might not work, but at least you don’t have to worry about a cookie.
- CAREFUL: no third-party cookies. You can log in, but no tracking.
- DEPENDS: no third-party cookies in Incognito mode. You can log in, you can be tracked, except if you decide to go Incognito.
- IDGAF: all cookies allowed.
Default mode is e.g. DEPENDS. And allow different rules for certain websites.
Oh wait, that’s what we have.
Would the EU want a more fine-grained distinction than just incognito/normal? Would they like a button just 1 click away, not hidden in the settings? Just ask the browser vendors.
Instead, we have JS plugins that allow one to view a list of all cookies, and companies can charge silly amounts to use them. The only people who click the ‘detailed overview of all cookies’ for a website are:
- paranoid people, who would put their browser in PARANOID mode anyway.
- the various ‘cover-your-*ss’ actors: DPOs, web masters, legal counsel, consultants
- the various national authorities, hunting for a missed cookie.
Nobody else cares.
popups are evil
Popups are considered bad for advertising, they remain bad for cookie consent. Look at what these popups do on a mobile screen.
At least on a laptop, I can install a plugin I don’t care about cookies to enjoy my web browsing as it was intended. This should be built in to the browser, also the mobile browser.
My conclusion: the current accepted solution for GDPR-compliant cookie management/consent is a nightmare from technical and user experience point of view. Only a lawyer can look at this mess and say: yes, this is what we were looking for.
I would love to see a return to sanity, where the EU sits down with browser vendors and website builders, develops cookie consent specifications that protect users’ privacy, immediately work with any existing and future website without clumsy plugins nor cookie banners and leaves the choice to the end-user to easily decide how paranoid they want to be. Software should not be specified by lawyers.