EU Cookie Law By Example: You Need Cookies More Than You Think
NEWS - Mar 8, 2012
Arguably the hardest issue for sites is to understand which cookies are "legal" and which are not. According to the law, no permanent cookies are allowed to be placed without explicit user consent - unless those cookies are strictly necessary for the functioning of the site. So, what cookies would be deemed functionally necessary in practice?
First off let's consider a few of the types of cookies that are currently created by sites and what they are most generally used for.
Functional - login information, shopping cart items, configuration data
Analytical - research and analytics elements for publishers (e.g, Google Analytics)
Ad - tracking users views and interactions with ads across multiple sites
Tracking - serving the purpose of purely tracking (e.g. pixels, beacons)
Service - 3rd party services to improve site features (social sharing widgets, like buttons, surveys, etc)
There are many more uses for cookies, but in practice the above list covers the majority of reasons that a cookie will find its way to your browser.
As far as the law is concerned, only the site functional cookies are considered to be exempt. This means that if your site uses any other type of cookie then you must technically disable those cookies (and by definition the services they make possible) until you have obtained some form of consent from the user to allow them. This presents a problem for many site owners and as we shall see it also presents a legal contradiction.
The problem is more easily illustrated with a fictitious example:
Let us say that, stevescoolblog.com is a typical blog offering daily tech news. It gets 10,000 unique visitors a month and makes a little revenue to support the site via ads. Ads are provided by three major ad networks, say Google, Yahoo and Microsoft. The blog also uses convenient free services and widgets to allow users to share the articles and content via social channels like twitter and facebook, and it uses a free discussion system to allow users to comment. User's are also able to register and login to the site to participate in the community and earn points for submitting content and commenting. Finally, the site also uses Google Analytics to monitor user traffic trends.
Given the above simple but very typical scenario this site creates quite a few cookies when users visit. Broken down here they are:
1 x Login cookie (placed by site for logged in users)
4 x Google Analytic cookies (placed by 3rd party google.com)
2 x Comment Service cookies (placed by 3rd party addthis.com)
2 x Social Plugin cookies (placed by 3rd party disquss.com)
3 x or more ad tracking cookies (placed by ad networks)
These numbers are actually very conservative, and in many cases 3rd party services may place more cookies on the users of stevescoolblog.com. The CookieCert cookie database has cataloged thousands of sites and finds an average of 11 cookies per site homepage so imagine how many cookies some sites may create with more extended browsing.
So, how does Steve go about complying with the law? Well, strictly speaking this site must disable those parts that create cookies, and then re-enable them once the user gives explicit consent. In this specific case, it can be done with a relatively small amount of work - simply remove the ads, analytics, comment section and share features of the site. We can leave the login cookie because that is functionally necessary for logged in users. Then, once those features are removed, add a consent pop-up or page asking users to give consent to all those services. Once a user consents re-enable the service. All very straight forward, but consider the issues and consequences:
First, this simple example broadly represents a large proportion of sites. Tools like social sharing and analytics are ubiquitous online and without them sites behave very differently. Ads are the life blood of the Internet, fueling the online economy and making the availability of free content possible. Alternative solutions such as charging for content might work for a few large sites but will ultimately kill the majority of them.
Second, an in interesting point about the example here is that most of the cookies are not created by the site owner at all. They are created by 3rd party companies for purposes of correct functionality of the service they provide, and sometimes for self interest in their overall business model and tracking systems. So even if they wanted to the site owners could not disable those cookies intelligently - for example there is no cookie free version of the tools used here that could be utilized until the user gives consent.
Third, removing all those services will have a radical effect on the site as a whole. It will effect the end user experience dramatically in the form of interfering consent pop-ups and reduced functionality - no sharing, no commenting and no ads. For the site operators the consequences will be reduced traffic due to less social sharing which brings in new readers, reduced revenue due to no ads, fewer visitors due to reduced functionality, and higher bounce rates due to annoying pop-ups.
From the perspective of the EU Cookie Law this example presents an interesting contradiction...
With the removal of the services described stevescoolblog.com now suffers from fewer new visitors, reduced returning visitors and, most importantly, revenue to operate the servers and pay it's staff. End result: stevescoolblog.com limps on for a month or two and then has no choice but to turn of the site because it cannot afford to operate.
OK, so now stevescoolblog.com is out if business, and the users are left to go find their content elsewhere. That could be the end of the story, but let us go back to the starting premise of the law that states that in order to comply a site must remove all non-functionally necessary cookies. Well, it may be a very primitive argument but now stevescoolblog.com is actually no longer functional. Therefore by the process of logic the cookies which it removed under the assumption that they were not functionally required turn out to be functionally necessary after all!
The argument provided here is not far fetched. The site example cited uses services that are typical on over 80% of sites online, and in fact most sites use many more cookie hungry services and ad networks than this - meaning even more cookies and negative consequences! We appreciate the argument given is probably not going to stand up in court should your site be imposed a fine by the EU regulators. However, it is food for thought and highlights some of the gaping problems with a law which is so poorly defined and offers equally poor implementation guidance.