Image: Nat Buckley, IF CC-BY, an example of a cookie consent panel from Tumblr.

Lots of websites recently started asking for granular consent for setting cookies for tracking, advertising, marketing and analytics on EU visitors’ devices. Many of those cookies are provided by third-parties, who are able to use them to track visitors across multiple sites and devices.

There are good reasons for setting third-party cookies. For example, analytics cookies can be used to learn about how people use the site so that it can be improved. Another example might be setting advertising cookies to help news sites fund their journalism. But because those cookies could be a privacy risk for the site visitors, it’s really important that they have the opportunity to decide whether the risk is worth it.

People don’t have much choice and control

For some websites, the list of third-party organisations providing cookies goes into the hundreds. Some consent tools require the viewer to make a decision about each of the parties individually, without an option to reject all non-essential cookies, or all third-parties of a certain kind.

Making meaningful decisions about which cookies to consent to is difficult right now. Just like expecting every individual to read terms and conditions documents, expecting them to decide about potentially hundreds of cookies from third-parties they’ve not heard of, on dozens of sites they visit every day, is simply unrealistic. It’s hard to feel in control when you are overwhelmed with information.

The regulation in Europe is clear that it’s the website’s responsibility to seek consent, but it also acknowledges that this might become onerous for the visitor. A better solution would be for the browser to be configured with the viewer’s preferences once, and for those preferences to work on every site they visit.

‘Do Not Track’ is misleading

In 2009, a Do Not Track feature was proposed as a way of someone signalling their lack of consent for being tracked. Today, it’s an option on all major browsers and it’s something you can turn on for every device you use. There is one problem with it: honouring this preference is entirely up to each website. As a result, most companies that stand to benefit from tracking people across sites and devices hide behind an explanation that there is no agreed standard on how to respond to the feature. As if Do Not Track is not a clear enough message.

The result is that the site owner remains in control, despite a clear choice from the person using the browser. The name of the feature is misleading, given how easy it is to assume that turning it on actually protects you from tracking.

What needs to change?

So what would a more empowering approach look like? It would have these qualities:

  • No third-party cookies could be set without explicit consent, managed by the browser rather than sites. Sites, or third-parties, that try setting a cookie should be technically prevented by the browser from doing so
  • Preferences can be set once, rather than per site, unless someone wants them to vary for certain sites
  • Choices should not be binary. Perhaps some preferences apply at certain times or in certain contexts, and are different at other times
Image: IF CC-BY. An example of our earlier work on Data licences, where we explored describing sharing choices in a non-binary way.

Some of these ideas are starting to make their way into browsers. Apple announced that Safari on iOS 12 will prompt people when websites try to access or set cookies. Firefox offers a feature called Tracking Protection which uses a list of known domains that track people across multiple sites to stop them from setting cookies, but right now, it’s a feature you have to look for if you want to prevent tracking.

There is still a lot to be done to improve how browsers help people make informed choices about tracking. We need better design patterns for consent and a commitment from browser-makers to make it easy for people to manage cookie settings. Only then will power and control lie with people using the site — instead of the publisher.