The EU/UK Cookie Law is One Big Fail

May 27, 2012

Reading today about the deadline for UK websites to follow the EU cookie privacy law made me wonder what kind of people come up with these type of laws. Like so many "won't someone please think of the children" laws it's long on ideals and short on reality.

Given that as of today hardly any country in the EU has met even a minimal definition of compliance (which originated in 2003 I think), and that in the UK a late change to the requirements makes a mockery of the EU rule, I wonder why anyone actually expected things to change.

One meme from the very earliest days of the web was that "the internet routes around blockages". As long as connections continue to be allowed across country boundaries any such rules will simply move the targets to another place. Any floppiness in prosecuting the rule-breakers will just encourage people to ignore the rule entirely. Given the rather oddball last minute change where the UK proposed that people could give implicit consent simply by accessing the website despite a plain warning I don't see any future in compliance.

Where the letter of the law requires explicit consent by a web visitor for each cookie in use the new UK rule makes it OK to put a line at the top of each page. Of course this is completely incompatible with the EU requirements. So what can the EU do? I have no idea but probably nothing at all.

Of course requiring explicit consent for each cookie is beyond ridiculous. How do you even explain what you are asking of the user? I can just imagine my late mother having to click a bunch of alerts about something she couldn't have ever understood. It's ludicrous to imagine people having to continuously approve something on every page they visit every time. If you say no to everything there is no way for a website to avoid asking you again and again. Yet nothing would stop people from going to a website not in the EU/UK or that chooses to ignore the rules making it pointless for any company to maintain a presence in a country with such a rule. Visitors to a website generally could care less about some obscure law that screws with their needs.

Sure, cookies can be a real nuisance and I hate being tracked by people as much as anyone, but this isn't going to help anyone's privacy. My blog and I are in the US and immune from EU requirements. So I could track you all I wanted. If this law were to be rigidly enforced for companies with a presence in the EU/UK (which I highly doubt) it might be easier to simply block people in those countries for a while. How long would such a law continue if everyone's access to Google or Facebook resulted in a page saying "access to this website is illegal in your country". What a fun riot that would be.

One the pains of doing business on the internet is always dealing with every countries' oddball laws and requirements. At my job I had to take a class on dealing with these things since we have businesses all over the world. Much of it seemed really painful especially when dealing with countries that had incompatible and even opposite laws. Yet as I learned there are many deliberate loopholes, some built-in and some questionable, that you can take advantage of.

The reality of laws like this one is that unless we suddenly have a one-world government or massive collusion that goes unnoticed laws like this are doomed to fail. The internet is too important to commerce in the world today and anything that provides an edge will be taken advantage of. If your competitors make using the web irritating because of a law and you don't, guess where people will go? If your government for example requires you to put a backdoor that only they can read, no one will bother doing business with you.

Sure if you want Facebook and you can't get there, you are out of luck. But unless you can block the rest of the world (such as in China) an alternative can always be created. If your business is hurt and your country's silly laws are to blame, you are out of luck too. Someone will take advantage somewhere in your place.

The bottom line is money. If your country suffers monetarily laws can vanish pretty fast. I think the UK last minute change came because it was obvious that strict enforcement would be impossible and they figured having a lip-service requirement would be better than having people ignore you completely.

I love the requirements in various countries including the US to have a privacy statement. These are always written by lawyers and are generally incomprehensible by anyone else. No one reads them. Ever. So what purpose do they serve?

The general population doesn't know why cookies are important no matter how you explain them so requiring that they give consent will result in random button clicks and boxes checked. When they see nothing working they will change their choice. The end result will be an annoying internet feature that will piss people off but nothing will change. Or more likely they will route themselves to visit websites which don't do any of this.

The web has functioned for 15 years and has transformed the world like few technologies have ever. Trying to make fundamental changes that limit people's ability to use it is only going to end in one big fail.