The global influence of the EU’s cookie laws is due for a revamp later this year.
Cookies hold visitor information for websites and are crucial for some basic functions, like remembering your username. But they can also be a privacy nightmare. Your data gathered by these cookies can be sold to third-party companies and used for targeted advertising.
To deal with the murky implications of cookies, the European Union enacted a sweeping cookie law in 2009, based on a previous privacy directive. With this new law, websites had to ask European visitors for consent to use cookies. Many companies have switched their systems to include consent pop-ups for users worldwide, rather than creating separate European versions of their sites, so it has also affected Americans.
Although the aim was to give power back to the users and let them decide which cookies they were okay with or not, the law has since had unintended consequences, the main one being “cookie fatigue.” Users are now bombarded with consent pop-ups so often that they rarely read them, choosing to just blindly click to accept the cookies. So the consent pop-ups make you feel like you are secure, but are not actually good at offering real protection.
The EU has been trying to address this issue for some time now. Early last year, they tried to do so with a “cookie pledge” that had major platforms owned by the likes of Amazon, Apple, Meta, and ByteDance sign an optional agreement promising to improve the cookie pop-ups. That unsurprisingly must not have worked out as well as they hoped.
Now, EU officials are planning to present a rule that addresses this concern for good in December, Politico reported on Monday. They are holding meetings with the tech industry to agree on a strategy, and many ideas have reportedly been floated.
In a note sent to an industry focus group, the European Commission floated the idea that users can have set preferences for cookies in their browsers rather than having each website individually ask for consent, Politico reports.
Danish authorities have suggested completely dropping consent banners for cookies that are used for “technically necessary functions” like simple statistics, rather than the ones deemed more harmful, like third-party data sharing.
Other European officials believe the cookie rules should be incorporated into the EU’s General Data Protection Regulation (GDPR), a sweeping online privacy law that shaped the internet when it passed in 2018. It also upset big tech companies, many of which have been hit with major penalties over breaching it. Meta, for example, was hit with a $1.3 billion fine in 2023 for violating user data privacy on Facebook.
The GDPR triggered an avalanche of cookies when it passed. Cookies are technically subject to GDPR, but that law is not the primary way the EU governs cookie use; they have the ePrivacy Directive for that.
The GDPR is supposed to have a “risk-based approach,” Politico notes, instead of the strict consent requirements put forth by the ePrivacy Directive. This means that if cookie governance is switched over to the GDPR, it will be up to the tech companies to adjust how they deal with cookies based on the level of risk associated with the data they are harvesting.
No matter how the EU eventually decides to address its cookie and consent pop-up problem, there is undoubtedly room for improvement.
Consent pop-ups in general have been criticized by data privacy experts as a surface-level remedy that can be easily manipulated by tech companies. One way that they do that is via “dark patterns,” aka deceptive design techniques they use to manipulate your behavior online. The European Union is set to address those concerns next year in a new piece of legislation called the Digital Fairness Act.
English (US) ·