On the 25th of May we marked the third anniversary of the EU Cookie Law taking effect here in the UK, and with some national exceptions, across Europe. Three years on, we can all look back at what a positive, sustainable, and far-reaching impact the law has had on internet privacy and personal security.
Errrrm…no we can’t.
It’s safe to say that when even The Guardian – the newspaper which helped to break the Snowden revelations – refers to the cookie law as “not fully baked”, the stage is set for an honest evaluation of whether this particular game has been worth the candle.
Let’s start with the bottom line: how much was the cookie law supposed to cost us?
As I am in the UK, I will look domestically at the UK’s impact assessment for the implementation of the law. This exercise was held by the Department for Culture, Media, and Sport in March 2011. You’ll find it on pages 141-161 of this 204 page PDF (2.07mb).
When it comes to intangible policies like the cookie law, impact assessments are interesting academic exercises. After all, privacy is not something which can be quantified with a monetary figure (despite occasional overtures in that direction), so those who write the assessments are essentially tasked with identifying the price of an emotion. What’s more, impact assessments take on a cynical tone when the law in question has been mandated by the EU. Because the law is being imposed from above – in other words, we are doing it because we have to, not because we want to – identifying a cost becomes a box-ticking exercise designed to please the teacher rather than produce an accurate figure. (We definitely saw this with the impact assessment exercise held for VATMOSS).
The figures which the DCMS used in March 2011 were established by the consultancy firm they hired to perform a research study. That was PriceWaterhouseCoopers (shades of VATMOSS again!) Their report (.pdf, 2.61mb) surveyed 1,012 “relatively heavy internet users” to gain their informed opinions of two possible implementations of the cookie law: an “opt in” or an “enhanced browser” system.
The report said:
“Based on the survey results, internet users will potentially incur large time costs managing their use of internet cookies. If each user had to manage (only) 200 internet cookies per annum, then, based on the results of the consumer survey, we estimate that the total cost would be around £190 – £235 million per annum.”
What is the methodology behind that figure? “For the calculations of time requirements we assumed time requirements as bandwidth midpoints (for example for up to 5 seconds we assumed on average 2.5 seconds. The average time requirement in the sample for each internet cookie is therefore 0.0063 hours. We assume 200 internet cookies per year and a value of non-working time of £3.68 per hour at 2002 prices based on Department for Transport guidance (source: http://www.dft.gov.uk/webtag/documents/expert/pdf/unit3.5.6.pdf). We then multiply by 36.6 million weekly or daily internet users (or 40.1 million if we include all internet users together) to generate a value of (£170 million (£189 million). Finally, we multiply by 1.23 to adjust the value of time to 2010 prices using the GDP deflator.”
There is no explanation on how they came up with the figure of 200 cookies per year. Any Disconnect user will know that some web sites can deposit 150 cookies on page load. So if that calculation is accurate, the time cost would be considerably higher. Even without that clarification, it’s clear PWC understood that an opt-in system would never work. They concluded:
“The constant requirement to opt-in will reduce consumers’ online experience and consumers are likely to change their behaviour (this includes more or less trust): as consumers will be required to opt-in they might access fewer websites or only those websites of large companies (see consumer survey). This change in behaviour could lead to a bias favouring large and well established companies or companies operating outside the UK (orEU) as there might be no ‘Opt-in’ requirements. Additionally, consumers are likely to need more time online to achieve the same ‘success’ as before: responses to the consumer survey indicated that internet users would read the respective information and then decide what to do. This would involve a significant total time requirement – which they have probably underestimated – and, therefore, costs for consumers (approaching £190-235 million per annum if they have to deal with 200 internet cookies per annum). The time requirement would be recurring whenever a new website is visited (and the purpose of an internet cookie is changed). These effects are likely to lead to significant and large indirect effects for business. The effects are likely to be larger than the direct costs and result in significant displacement effects.”
This was duly recommended to DCMS, and it is one of the reasons why we don’t have an opt-in per-cookie system.
The next question PWC addressed was the strange possibility of internet users paying their ISPs to manage the cookies delivered to their computers based on their expressed preferences, and how much they would be willing to pay.
“We note that the mean willingness to pay per month is between £0.67 and £0.78 monthly payment to the Internet Service Provider of £13.01 for the provision of internet access). The willingness to pay for the service is, therefore, on average about 5-6% of total payments. On this basis, the overall willingness to pay for the UK adult online population is estimated to be between £300 million and £380 million per annum. If (conservative) bandwidth means (for example £0.25 for the £0 – £0.5 band are used average monthly willingness to pay is £0.67 whereas if point estimates are used the resulting value is £0.78. User confidence does not seem to affect willingness to pay for a cookie management service as the percentage of people having a positive willingness to pay does not vary largely by level of confidence. The lower band is derived by multiplying annual willingness to pay (£0.67×12) by 36.6 million weekly or daily internet users. The upper band is derived by using point estimates and the total number of internet users (including monthly or less use) (£0.78×12) x40.1million users.”
While this never came to pass, that figure of £300 – £380 million was then used in the DCMS impact assessment. This was rationalised on the basis that the figure “gives some indication of the benefits of ensuring that consumers are better informed on the nature and purposes of cookies, as well as their options for managing them.” And so they concluded that “The consumer benefits of being fully informed about the nature and options regarding internet cookies are in the order of £300 million – £380 million per year, though it is not yet possible to indicate what proportion of this will materialise in practice.”
So we know that the intangible financial benefit of the cookie law within the UK was estimated to be £300 – £380 million per year. That figure would have pleased the teacher.
What about direct costs? Again, those were not identifiable, but it’s clear that DCMS understood that they would be burdensome at the very least:
At least one attempt has been made to count the costs of the cookie law across Europe. This was a paper produced by Daniel Castro and Alan McQuinn at the Information Technology and Innovation Foundation, a Washington think tank. Their study, which they acknowledged was “an approximation with a large margin of error”, estimated the cost at $2.3 billion per year (roughly £1.5 billion or €2 billion.) Those costs, combined with all of the other issues and concerns we now know all too well about the law, caused them to call for the law to be rolled back.
Castro and McQuinn’s report got a lot of publicity when it was published in November 2014 and makes a valid contribution to the wider questions we must ask about the law at this point in time. However, the Castro and McQuinn report must be viewed in the light of its own clear bias. The ITIF is a right-leaning organisation which, just this week, dismissed a major and legitimate concern over privacy as “kneejerk”. (Pot kettle black.) Their report also has some methodology flaws. For example, they cited a cost estimate which predicted the cost to the UK economy of £10 billion. However, that “study” turns out to have been performed by a software vendor selling a cookie law compliance solution which has since been removed from that vendor’s own web site. Quoting a figure meant to sell software as a reliable piece of information is just sloppy research. There are also some issues with their attention to detail and accuracy. I can say this one, because I served two tours of duty working in a Washington think tank and know the rules, and two, because I was rather bemused to see them attributing the words from one of my own blog posts as a quote from ICO.
In other words, Castro and McQuinn have the right idea, and understand the problems with the law as clearly as anybody, but they let their own biases get in the way of what could have been critically important research. It’s actually quite a shame that instead of tasking a few good old Washington policy interns to perform the sort of research like I did above, they went tilting at windmills with formulas and statistics about the internet as a whole.
We absolutely need a figure for compliance costs across Europe. Think tanks aren’t willing to do it, and each of us can only handle our own country’s legal guidance in our own native language. For that reason, any readers across Europe are welcome to repeat this exercise with their own national guidance. I’ll be happy to publish what you find here.
So what’s the bottom line? Nobody knows. We have a lot of funny figures, odd data, and convoluted methodologies, and they have taken us no closer to an accurate figure of how much this law was supposed to cost us than we had in 2011.