The Cookie Crumbles

Conrad Bennett, senior director of technical services for web analytics specialists Webtrends, discusses the possible death of the humble cookie following a change in European Law.

Conrad Bennett
Conrad Bennett

A European Law concerning data privacy was voted through by the European Council on 24 November last year; it will be enforced across all 27 Euro states by April 2011.

Seven months on it is still causing debate and controversy amongst the online community. And more recently Europe’s privacy watchdog, The Article 29 Working Party, has published its interpretation of the new law stating cookie consent can’t be implied by browser settings, meaning that advertisers are wrong to say that websites can comply with the law by relying on a user’s cookie settings.
So just what does this mean for site owners?

Basically, a cookie is a text file so it isn’t able to ’do’ anything; they can’t read your system or watch what you do, nor do they record anything. As far as your system is concerned they are read-only files, similar to a word document.

They are only ever edited via your web browser by the site which created them. Cookies are generally encrypted and usually only contain a unique identifier. The main thing to remember about cookies is that they don’t contain any information which you didn’t already provide to the website.

Take a real life example like the Tesco Clubcard. This uniquely identifies you and tells Tesco everything that you have ever bought when you have used the loyalty card in-store.

However, Tesco can’t use it to tell if you have been into Sainsbury’s, how much you have spent there, or what your dog’s name is! In the situation that someone steals your wallet containing your Clubcard, they get a card with a unique number which is useless to them.

Cookies are identical to the Clubcard in this sense, yet how many people really panic about having a Tesco Clubcard?

Cookies are simply used so websites can say ’Oh, it’s you again,’ and remember things; in the case of Google this might be your search preferences, or Amazon might remember your shopping cart (once you have logged into the site) so you don’t receive recommendations for items you’re not even remotely interested in, say the new Saturdays album in my case.

There is nothing really sinister about what a cookie can do; they store the information which you told the site in the first place.

Much of the superstition surrounding cookies is due to lack of understanding of their real benefits. The impending legislation means that cookies can only be set with prior consent of the visitor or ’data subjects’ as we’re fondly referred to by the EU Working Party.
European companies will need to ask consumers’ permission to set a cookie. If you say ’yes’ then the site will set a cookie and off you go.

When cookies are required for business critical tasks, like maintaining your shopping cart, a problem arises if you say ’no’ to cookies. This is the only way that websites can ’remember’ and since you told the website that it can’t set a cookie the next time you visit the site it will need to ask you the same information again, and again and again, yes that’s the same questions every time you visit the site.

Even worse, according to the letter of the law (or at least the new directive), this has to happen every time you visit a site.
You could start your visit to a site on one of its many pages, and if you’ve opted against the cookie, the site is going to have to ask you on every page of the site, since it has no way of remembering that you said ’no’ on the previous page. It sounds laborious doesn’t it?

The potential issues with cookies have been known within the industry for some time. Several alternatives have been suggested; all fall foul of the directive, which uses the terms ’the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’.

Like a Fighting Fantasy role-playing novel from back in the 80s – site owners have one of three choices:

1. Stop using cookies. OK, but all of your analytics (and those of your partners) will suffer a major drop-off in accuracy. You can kiss goodbye to any affiliate income, and probably to any kind of quality advertising income. If that’s your model, you will be back to blanket coverage, instead of any kind of targeting. Additionally, lots of visitors are actually going to be puzzled and confused about why you no longer remember them and why the site ’doesn’t work properly’ any more.

2. Implement cookies as normal, but ask every visitor if they consent. Assure those visitors who get horribly annoyed by the fact that your site has become unusable that this is so that you can comply with EU legislation.

3. Use other information. Research by the Electronic Frontier Foundation (https://panopticlick.eff.org/) has shown that information readily available from the browser such as version, plug-ins and more, can uniquely identify many visitors – upwards of 80% – without the need for cookies. Since this information is passed by the browser automatically (unless the user chooses to block it) and doesn’t require anything to be stored on the users’ machine, you wouldn’t need to get consent. The problem with this is it shows the short-sightedness of the legislation; this approach clearly doesn’t break the letter of the law, but it is questionable whether it adheres to the spirit.

Cookies are essentially benign and their use is typically beneficial or at least neutral to the visitor.
It would be fantastic if the future were as simple as a Fighting Fantasy novel where we could see the impact of our decisions today on the future, yet this isn’t possible and cold prediction increasingly looks like this recent legislation will render cookies unusable, which will have serious implications to doing business in a digital environment.