Schrödinger’s Cookie Law, Part II: How the EU got it wrong for the whole continent

In my last post I wrote about lessons we can take away from the Information Commissioner’s Office botched deployment of the EU Cookie Law within the United Kingdom. Today I’m going to discuss how the EU got the law wrong across the whole continent, and suggest some lessons that those behind the current data protection law draft cycle should take on board.

1. As an organisation, the EU is not agile enough to legislate the fundamentals of web code.

Professional web designers and developers are, by nature, totally flexible and willing to change. We have to be. We work in a field which adapts and evolves several times a year. If we do not keep up with new technologies and developments, we’re history. We also have the benefit of working in a profession driven by the open source ethos. If there is not a solution available, we are expected to develop it ourselves – right now – rather than waiting for someone else to make it for us. If something is broken, we flick open our iPads and fix it on the train.

You could not think of a worse constituency to find themselves at the mercy of the European Union. Like many bureaucracies, their project cycle runs in years and decades rather than days and weeks. Their collaboration ethos is slow. It involves planning, documents, meetings, and consultations; not Skype, GitHub, and Dropbox. If something is broken, they get their PAs to schedule a meeting for the next time they are all in the country together.

Some cultural clashes can be overcome. Not this one.

The EU put the wheels of what became the cookie law in motion in 2009 with Directive 2009/136/EC. This amended Article 5(3) of the E-Privacy Directive – a document from 2003 – requiring consent for cookies. They legislated this update to go into effect in 2011. The UK opted to grant one year’s grace to 2012. This meant that a law legislating web code itself went into effect in 2012 based on 2009’s understanding of how the web worked. And you had better believe that was a big problem. In the time that the law was slogging through its legislative processes in Brussels, we invented responsive web design, smartphones, tablets, and apps. In those three critical years the concept of online privacy itself shifted. The biggest threat to online privacy is no longer big corporations selling on our details; it is us, and the information we voluntarily choose to (over)share online.

Yet the cookie law imposed rules written in an era of static web sites into a world of dynamic social sharing.

A government which takes years to work through a process is unfit to legislate a field which evolves by the hour.

2. As an organisation, the EU should not be legislating the fundamentals of web code in the first place.

Let me present you with a rough analogy: traditional data protection laws enacted by the EU dealt with what a business could do with the information submitted to it through its online contact form. The EU Cookie Law attempted to regulate the contact form itself.

The cookie law may go down in history as the first attempt by a government to legislate and restrict the use of web code. Hopefully it will also go down as the last attempt. That’s because web code is not a proprietary, controllable product; web code is an open and evolving international language. Have you ever attended a WordCamp? People from two dozen countries, who may only be able to communicate in a few tentative sentences in their second or third language, flip open their laptops and communicate by code. It’s like Starfleet come to life. It’s beautiful.

Yes, some of that language can be misused if the person speaking it wishes to do harm. Just like words. Do we impose consent processes onto conversations that may turn unpleasant?

At its theoretical worst, some national cookie law implementations called for the complete reprogramming of functional, non-intrusive web sites because some of the source code it used could be programmed, in other cases, to violate privacy. It does not take much imagination to see where this logic could end. Let’s not kid ourselves: the EU Cookie Law was nothing short of an attempt to impose Newspeak onto html. Some uses of this code are bad: therefore all use of the code must be regulated. It’s in our own interest.

Thank God that nobody bought it.

Web code is an open and evolving international language, not a proprietary product. It is not the place of any government to legislate how and where that language can be used.

3. The EU cookie law confused mechanism with intent.

The legislators who invented the EU Cookie Law – who are most definitely not coders – proceeded on the belief that cookies are the problem. They are not. Cookies are mere strings of code. They are a means to an end. What human beings choose to do with the data resulting from cookies specifically set up to track user information is the problem.

This fundamental misunderstanding saw a law meant to address intrusive third party advertising applied with equal force, in some national implementations, to the non-intrusive functional cookies which enable the use of a web site.

The end result of this misunderstanding, and its equal and opposite backtracking, has been enforcement procedures like those practiced by the UK. When a site is reported, the enforcing agency only carries out a visual scan of the web site to see if a cookie disclaimer statement in place. They are not looking to see what cookies are in use, what data they have collected, or where, if anywhere, that information is being delivered. The existence of cookies, not their intent, is what is important to them. And that’s wrong.

The penny is finally dropping that the use of cookies – not the mere existence of them – should be the focus of data privacy rules. This should have been in place from the start. In its absence, the “cookie disclaimer” has become yet another meaningless backside-covering policy which businesses are required to have.

By confusing mechanism with intent, the cookie law has done nothing to improve online privacy or data protection. The web design and development communities should actively challenge the EU, and the thirty enforcing national bureaucracies, on their politically correct determination to punish all web sites for the sins of the few.

That hope, of course, presumes there is a unified web design and development community ready and able to fight our corner. And on that score, the EU got the best of us hands down. That’s why we are likely to be repeating this whole saga in 2016. Right now there is a new EU law in the draft phase, the General Data Protection Regulation, which will replace the 2003 E-privacy Directive and presumably its corollary Cookie Law. Think we can stop bickering over RWD and who shagged who at what web conference long enough to stand up in defence of our craft? It’s up to you.

About the author
Heather Burns is a digital law specialist in Glasgow, Scotland. She researches, writes, publishes, consults, and speaks extensively on internet laws and policies which affect the crafts of web design and development. She has been designing and developing web sites since 1997 and has been a professional web site designer since 2007. She holds a postgraduate certification in internet law and policy from the University of Strathclyde. Learn about hiring Heather to write, speak, or consult.