Sane GDPR cookie management

I have been working on GDPR-related issues recently, and I need to vent a little. While it might be a good thing that the privacy concerns -that led to GDPR- were raised by lawyers, unfortunately the implementation was left to lawyers, too. Let me rant first and talk about a solution afterwards.

when the cure kills the patient <rant> Who in their right mind would look at the issue of cookie consent and come up with the most awful of web inventions: modal popup windows, that can only be removed by scrolling down to the button that says ‘Consent’ next to a button that says ‘Consent, but in detail’? What mix of ignorance and misanthropy is required for this to be the state-of-the-art in cookie management?

Why, during the implementation phase of GDPR, didn’t anyone listen to just about any web professional that could have told them: ‘this is going to be a disaster for companies, for web designers, for web masters, and most importantly, also for users.’?

I’m imagining it was a solution put forward by lawyer offices and consultancy companies, that could already hear the opening of thousands of legal and marketing departments’ wallets all over the world, scared by this new European tsunami of Fear, Uncertainty and Doubt. “What are these cookies? Are we using cookies? Yes? Aaaaaarhg! Just throw money at it, so it goes away!

Adding to this FUD atmosphere is an avalanche of GDPR-related lawsuits and fines in almost every European country. Dailybits has a nice overview (NL). Some of those cases tackle real problems (direct marketing to minors), some I would categorize as ‘petty’.

This quote of Ethan Zuckerman words it very well:

It’s obvious now that what we did was a fiasco, so let me remind you that what we wanted to do was something brave and noble.

Car safety

Credit card security


in the browser

Well obviously, the logical place to manage cookies is in the browser. The browser receives cookies from web servers and can decide to save them or not, and to present them to the same/other servers or not. Just like password management, cookie management should be built into the browser.

Oh wait, it is. Chrome cookies

All browsers have cookie management built in. The EU only needs to instruct Google (Chrome), Microsoft (Edge), Mozilla (Firefox), Apple (Safari) and some smaller vendors, how they want cookie management implemented. All browser vendors want to offer privacy protection, even Google. Why choose to burden millions of web masters if it can be fixed in the browser? Cookies are a technical HTTP implementation detail. There is as much need for cookie consent as there is for IP address consent, DNS consent or User-Agent consent.

simple settings

Let’s have 4 settings:

Default mode is e.g. DEPENDS. And allow different rules for certain websites.

Oh wait, that’s what we have. Chrome cookies

Would the EU want a more fine-grained distinction than just incognito/normal? Would they like a button just 1 click away, not hidden in the settings? Just ask the browser vendors.

Instead, we have JS plugins that allow one to view a list of all cookies, and companies can charge silly amounts to use them. The only people who click the ‘detailed overview of all cookies’ for a website are:

Nobody else cares.

popups are evil

Popups are considered bad for advertising, they remain bad for cookie consent. Look at what these popups do on a mobile screen.

At least on a laptop, I can install a plugin I don’t care about cookies to enjoy my web browsing as it was intended. This should be built in to the browser, also the mobile browser.

My conclusion: the current accepted solution for GDPR-compliant cookie management/consent is a nightmare from technical and user experience point of view. Only a lawyer can look at this mess and say: yes, this is what we were looking for.

I would love to see a return to sanity, where the EU sits down with browser vendors and website builders, develops cookie consent specifications that protect users’ privacy, immediately work with any existing and future website without clumsy plugins nor cookie banners and leaves the choice to the end-user to easily decide how paranoid they want to be. Software should not be specified by lawyers.

💬 privacy 🏷 gdpr 🏷 web