How do you like cookies?
I mean the web cookies you have to accept everywhere. Find out more on why we have them!
Ever wondered why, when you enter a website, you have to click through those annoying banners? Whether you're shopping online, checking your bank account, or handling administrative tasks, you're constantly asked to accept or reject cookies. Or worse: you are bombarded with an army of options and pop-ups until you finally get to the page you wanted to originally see.
Having worked with privacy for a couple of years now, and - horribile dictu - even invested serious working hours in designing some of these cookie banners and policies, I myself questioned many times why do we have to deal with this in the first place.
Early Internet in the mid 90’s
To answer this question, we have to go back to the mid-1990’s, where the Internet we know today was just taking its shape. Some of the tech giants we know today did not exist, or they were among the many growing companies that were more like startups at the time. The first browsers and other supporting features, such as cookies were created around this time. The name “cookie” was coined by a developer of one of these early browsers, a term already used in programming as “magic cookies”, which were simply information packages sent between computers.1
The earliest cookies are what we call today session cookies or first-party cookies. Their only function was to allow the website provider to log that you were accessing the site. So, for example if you log in once on a website, you don’t have to log in again during the same session when you’re switching through pages. Later on, additional features appeared, for example storing your shopping cart in a webshop or doing analysis if the website is functioning. However, nobody else had access to the user’s data other than the website provider.
These are so straight-forward features - with almost no impact on privacy - that one could question why do we have so much attention and regulation around this today.
Targeted ads and third-party cookies
As the number of internet users were drastically growing, so did e-commerce. New commercial and advertising practices appeared, such as the third-party cookies. These types of cookies became valuable as more and more information became available about users, especially in a commercial context, such as:
Your IP address, and hence your geo-location,
Your web behaviour: how much time you’ve spent on the website, what did you click on, when did you decide to buy a product (or when you did not decide to buy it),
From which website you came from, and where did you continue, etc.
Now, imagine you are a webshop owner with access to this data on a scale of thousands or millions of users. You could perform statistical analysis, optimise your ads and products, or improve your website’s functionality. Then the idea also comes: this data can be transmitted or even sold.
The issue with this is that there is little awareness on this to this day, as this was done without informing the users or asking for their consent. This and similar practices led to the early development of surveillance capitalism.
… and the European law on this
As technology develops, the law follows—although always at a slower pace.2 The development of the Internet and new online commercial practices did not go unnoticed by the regulators either, with some researchers claiming that this led to a new generation of data protection law in Europe in the ‘90s3 and early 2000s. Some of these laws were:
A 1995 directive on personal data protection4, which was the “predecessor” of the GDPR5.
A 1997 directive6 on the privacy in the telecommunications sector, with only 16 concise articles on this.
The 2002 ePrivacy Directive7 on the privacy in electronic communications, which replaced the 1997 directive, and is still in force to this day. This is also known as the “Cookie Directive” and this one gets (most of the) blame for those banners popping up everywhere and the endless cookie policies.
The overall goal8 of the ePrivacy Directive is clear and a noble one, mainly to ensure the protection of personal data in the electronic communication sector, and to ensure the free movement of such data in the European Communities9. This directive further elaborates on the 1997 directive and provides a more state-of-the-art perspective from 2002, which led to some of the issues explained later in this article.
As for the provisions of the ePrivacy Directive, there is little mentioned specifically on cookies, besides from Recital 25 foreseeing practices related to consent and transparency. Other than that, this directive is clear when it comes to for example confidentiality obligations: “[EC Member States] shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned […]”.
Without doing an in-depth assessment, these are the main obligations:
Service providers must obtain consent before processing data10.
Users must be informed on the type of data processed, duration for storing them and the purposes for processing them11.
Consent can be withdrawn at any time12.
These obligations to ask for prior consent and informing you before using your data led to the banners and cookie policies we have today.
Issues with the ePrivacy Directive
This directive has two main issues: that it is from 2002, and it is a directive.
This law was created in a period when the online environment was drastically different from today. Most online stores were still in their earlier stages13. Google was only a few years old search engine, Facebook did not exist yet. Our current Insta and TikTok culture, combined with our daily use of AI would probably feel almost dystopian from the early 2000s. And most importantly, the massive data collection across multiple websites via cookies had not yet started on the scale we see today. This is a clear problem, as the social issues the initial legislation aimed to regulate have inherently changed since then.
Another issue is that the law supporting the ePrivacy Directive (the ‘95 privacy directive) also changed: it was replaced by the GDPR in 2018, which brought a more detailed definition for consent, and a 33-page guidelines on how to implement it14. The GDPR also further extended the transparency obligations, with a much more specific list15 on what needs to be included in an information document, which led to even longer cookie policies.
From a European historical perspective, in 2002 the EU did not exist in its current form, as it was only the European Communities with 15 member states, right before the Eastern extension. In addition, the fact that this law is a directive, it means that the member states are free in regards of how exactly to implement the directive, which led to different laws in different EU countries over time. This led to inconsistent practices even within the EU16.
As a privacy professional, this means that you have to dig through the GDPR, the ePrivacy Directive, guidelines on consent and transparency both on a European and national level, and also you should check some best practices within your sector just to be sure.
This leaves us with serious working hours for a banner that nobody really wants to see in the end.
Today: NGOs fighting for cookie-compliance, Elon Musk makes jokes about them
On one hand, there are NGOs such as noyb with full-scale projects on cookie-compliance17, and also to somewhat reduce the “annoyance” factor by the mis-implementation of them, for example to implement a simple “yes or no” approach on most websites instead of several options, or to challenge pay or consent models when it comes to privacy. On the other hand, there’s Elon Musk saying that accepting cookies may open the portal to hell18.
In any case, the frustration from both sides is understandable and it can be boiled down to two main reasons:
The increasing technicality of data protection law: the number of transparency obligations often makes it impossible to be understood by the actual target audience: the end users themselves.
The incorrect implementation of the service providers: it was never intended— and in fact, it is nowhere written in the ePrivacy Directive or the GDPR—that users must necessarily click on cookie banners all the time with several options.
These are issues that could be overcome by a new, simplified regulation with a more pragmatic approach that ensures both privacy but also web user convenience. This could be potentially resolved by the long-planned ePrivacy Regulation, which is a legislation kept in a limbo since 2017, with a “blocked” status with no clear explanation as of January 202519.
What can you do in the end?
The takeaway: you won’t open a portal to hell with cookie banners. But if you don’t want cookie banners and care about privacy, simply install a cookie blocker. That way, you won’t have to click through them anymore, while also avoiding sending your data to third parties.
This way, you’ve resolved an issue created by hundred of pages of law and guidelines at least for yourself.
I have written more about how technology impacts society as a whole, and how the laws follow on that. In this case: how the development of the Internet facilitated the creation of data protection law and the law on freedom of information (in Hungarian, but def. recommended with DeepL translation if you are interested): https://nmhh.hu/dokumentum/203061/Szikszai_Marcell_Az_Internet_maga_uzenet.pdf.
With the first generation drafted in the 1970’s on early, mostly paper-based data processing, followed by the 1990’s legislation addressing digital privacy, and continued in the 2010’s addressing social networks and contemporary technology. More about this at (in Hungarian): https://infojog.hu/szoke-gergely-laszlo-az-adatvedelem-szabalyozasanak-torteneti-attekintese%C2%B9-20133-56-107-112-o/ .
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
General Data Protection Regulation or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) or ePrivacy Directive.
As the European Union was still not formed as we know it today.
As per Article 1(1) of the ePrivacy Directive.
Article 6(3) and 9(1) of the ePrivacy Directive.
The last sentences of Articles 6(3) and 9(1) of the ePrivacy Directive.
Article 6(4) of the ePrivacy Directive on transparency obligations related to traffic data.
In fact, there was a smaller financial crisis in the tech sector known as the Dotcom Bubble: https://www.investopedia.com/terms/d/dotcom-bubble.asp
Guidelines 05/2020 on consent under Regulation 2016/679, European Data Protection Board, Version 1.1 adopted on 4 May 2020: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
Articles 13 and 14 GDPR.
Just to give an idea on the different practices, an overview of 14 countries is available here: https://noyb.eu/en/noybs-consent-banner-report-how-authorities-actually-decide