The Cookie Law is finally crumbling – good riddance

A mouse cursor hovering over an 'Allow all' option on a cookie banner

Head to a new website, or merely one you haven't visited in a while. You likely won't be able to see it, especially if you're using a smartphone. That's because the page you've attempted to load is probably obscured by the bane of the internet: a cookie banner.

In my early days, I spent a lot of time writing about the then-incoming cookie consent law, also known as the ePrivacy and Electronic Communications Directive. It stipulated that web users should know if a website is tracking them and only allow it with consent. Once it came into UK law in 2012, the UK's Information Commissioner's Office (ICO) had to devise a way for website owners to practically issue a warning and ask permission.

On that front, the ICO failed – at the time and in the long run. The law came into force in May, with the data regulator issuing advice a few weeks before suggesting that displaying a banner on websites as visitors arrived would suffice as compliance. Those pop-ups are increasingly massive and – if I'm any judge – quickly swiped away. I will tap "accept" or "reject" at random; I no longer care, just show me the thing I wanted to see.

That said, if the UK's implementation of this directive failed to protect online privacy, it was successful with the second goal: education. Before, web tracking was a niche subject. The advent of annoying banners ensured everyone understood the basic fact that websites didn't just show information, but collected it too.

Ten years on, the lesson continues, despite the fact the UK chose to leave the EU. The death of the cookie law could have been the single light in the darkness that is Brexit, but the UK didn't bother to actually change its regulations once given the freedom. So here we sit, with a silly EU law still on our books.

It's a law that we haven't heavily enforced either. The ICO has hundreds of complaints a year about cookies – exactly about what is impossible to discern, as it doesn't break down the nature of the complaints. Nevertheless, the ICO hasn't, as far as I can tell, ever issued a fine or enforcement notice over the issue. A spokesperson tells me they don't believe they've taken any formal action either.

The EU has been more forceful. European regulators deemed Google's own cookie pop-ups for Search and YouTube to be insufficient, forcing it to roll out more robust banners last year. The new version – which you'll only see if you're logged out – so hit up Incognito mode if you're curious – is more than 200 words, and that's before you tap for more options.

Hopefully, the cookies debacle won't run much longer. The UK is working on fiddling with the regulations to reduce the number of banners, while German regulators have been working on a law that would see consent replicated across some websites, reducing pop-ups but not wholly removing them. Even that welcome tweak may soon become largely pointless.

While tech-savvy users have long used extensions to dodge tracking, and Firefox and Safari already block trackers by default, Google is set to follow that lead with Chrome. The firm will finally embed cookie consent decisions fully into the browser next year so we can be asked the question once – and just once. That ought to kill off tracking cookies entirely, as it's bewildering to think that anyone would allow it.


The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize


Of course, this solution was discussed back in the early days of the cookie consent law debate, but presumably asking once, and never again, was seen as lacking the educational component. But so long after the fact, other tracking techniques have superseded the humble cookie, such as social media widgets and tracking pixels and now Google's new Topics API, designed to let the company keep selling targeted ads. There’s also the highly anticipated ePrivacy Regulation, an evolution of the Cooke Law, which was supposed to coincide with GDPR, but is still in the works.

If Google manages to make its system work, Chrome will track our interests and make a list of topics we like, sharing access to three of those at random to advertising networks each time you visit a page. No other demographic data will be shared, Google says, and the information will fade after three weeks. What this means is advertisers – Google included – will no longer be able to track you all across the web to know you're eyeing up a new pair of trainers, but they'll still be able to show you ads for trainers constantly, including three weeks after you've purchased a pair.

Don't expect this to fix the web. None of this will end the most egregious AdTech practices nor the use of tracking to fuel them. But at least you'll no longer be slapped in the face with cookie pop-ups while having your privacy invaded.