A year with the EU Cookie Law – and what’s ahead for 2013

Around this time last year I began to study the EU Cookie Law. I had volunteered to give a presentation about it at one of our WPScotland unconferences, WordUp Glasgow, for the simple reason that I needed to learn about it myself – and what better way to do that than to carry out proper research?

When I volunteered, I assumed that I would be giving a straightforward presentation on what coding elements we would need to put on our web sites to comply. But it didn’t take long into the research process for me to realise “wait a sec, that’s not right…” I realised that not only was this law not a simple matter of adding a little bit of code, but there were substantial moral, philosophical, and structural problems with the law and its implementation which had not been publicly identified, let alone discussed. The more I dug, the uglier it got. I redefined the presentation from tech talk to investigative report not because I wanted to impress my audience, but because it would have been professional neglect for me to pretend otherwise. I made no claim to having a solution or magic fix; my goal was to get that public discussion started, and if nothing else, I hope I have accomplished that.

Time moved on, the law got closer to its compliance deadline, and one day I decided that the cacophony of self-pity, paranoia, scaremongering, and profit-driven theoretical zealotry surrounding the law needed a serious slap in the face. I wrote a post laying out the actual chances of anyone bar Facebook receiving a substantial penalty or fine for “violations” of the law. Seven months later, the enforcing organisation itself came out and said pretty much the same thing. They were certainly happy to sit back and watch a lot of ugly hysteria for a year up to then.

The compliance deadline came. Being a government bureaucracy, the enforcing organisation granted themselves executive privilege to make a 180° turnaround on their compliance guidelines on the day the law went into effect. Every bit of work businesses and organisations had done to comply had been wasted. I discussed this, as well as the new problems created by well-meaning compliance solutions, in a new presentation at WordCamp UK. After the presentation, I got to continue the discussion in good company over bottomless pints of real cider in the 9 PM Edinburgh sunshine. You call that “work”?

I was still rocking my WordCamp t-shirt a fortnight later when I got wind of the first organised cookie law scam. A Filipino call centre, acting under the instructions of an Australian outsourcer, was phoning businesses in the UK claiming to be the enforcing bureaucracy and threatening £5,000 spot fines for failure to agree to pay for their “cookie audit”. After jumping up and down shouting “I ******* told you this was going to happen!” for about an hour (as I do), I dug in and scambusted for Britain. And I had to do it because the enforcing bureaucracy did not say a thing. They couldn’t, because in an admirable example of capitalism at its most cutthroat, the scammer had beaten them to their own job. The only public comment they made had to be forced out of them, by me, and is provided in that post as a blog comment. This nonsense was over and on top of all the trouble they had already caused by switching the cookie law compliance goalposts in added extra time. The fact is, when one single individual has to take on the job of scambusting for the nation because the enforcing bureaucracy only sees it as an issue of brand infringement, all of the whispered concerns over their competence for the job become justified and proven. For what it’s worth the scammer and his minions seem to have slithered back into their hole.

A cheeky wee sod filed a Freedom of Information Act request against the enforcing bureaucracy to get the real numbers behind their warnings and rhetoric. The results were pure dead brilliant. After I had stopped laughing,  I took some time to point out that the whole methodology behind those numbers was smoke and mirrors anyway.

I closed the year with a grim but necessary theoretical explanation of how rigid compliance to cookie law directives can destroy sites which exist to serve the least among us.

My unexpected journey through the EU Cookie Law has been a pleasant surprise, and at this point, I have no intention of stopping – nor could I! We are far from having a clear and reasonable set of solutions to the problems this law has caused and is continuing to cause on a daily basis for the people who actually live and work with web technology as well as the users affected by it. This fight ain’t over.

So what will we be talking about in 2013 where the EU Cookie Law is concerned? Here’s how I’m calling it:

1. Privacy laws to the left of me, surveillance laws to the right, and here we are…

On the one hand we have a continental enacted law, the EU Cookie Directive, with 30 different national interpretations mandating self-contained privacy processes on an individual site-by-site basis, with some national laws mandating multiple opt-in processes per site.
On the other hand we have a national draft law, the Communications Data Bill, which will order UK ISPs to store records of your every click, tweet, email header, social media post, Google search, and browsing history, for a year. Full stop. There is no opt-out.
And for added spice, we have a continental draft law, the EU Data Protection Directive, which seeks to increase protection of your personal data, like the records of your every click, tweet, email header…

In 2013 we can expect to bang our heads into walls, a lot, as the three bureaucratic offices behind these laws make equally grandiose statements about the great things these laws will do, while never once comprehending how they conflict with and overwrite each other – and how it’s us who will be stuck in the middle.

2. Backlashes and blockers

With the day-of-enaction 180° turnaround in the UK’s official cookie law guidelines, all of those popups, dropdowns, and hovering windows demanding an active cookie law opt in became unnecessary. The thing is…a lot of sites, as you well know, have kept them up anyway. Either they are not aware that the guidance changed after it went into effect (and why would you assume it would?) or they do not want to acknowledge that the time and money they budgeted for compliance was a complete waste.

In 2013, expect a range of browser plugins and utilities like the one already available for Chrome to expand. Ad-blocker software in particular may begin to offer options to block cookie law warnings and disclaimers.

Update: here is a new blocker for Chrome and Firefox, released 11 January.

3. Do Not Track and a shift to browsers

It is sheer folly for nations to demand that web users actively opt-in or opt-out of sites on a micro level when browsers have had universal cookie blocking options since the 1990s enabling those opt-ins to be dealt with at the background macro level. Expect people to demand that they allow their browser options – whether they are Do Not Track or those settings that have always been there – to stand as their choice across all of the web sites they visit. Smart browser developers should follow suit.

On a personal note, thank you to everyone who has spoken to me at conferences, tweeted me, left blog comments, and kept this discussion going. In life we all have to pick our battles, and I’m happy that you’ve joined me in fighting a good fight.

About the author

Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.