Could the solution to the cookie controversy be found partly in a technical fix and partly in assigning consent to a trustworthy third party?

Like the rest of the EU, Denmark shall, no later than 25 May 2011, implement in national (i.e. Danish) legislation a provision that the owner of any website must obtain consent from each visitor to that site before placing a so-called “cookie” on the visitor’s computer. Since the Danish National IT and Telecom Agency launched a public consultation on a draft of implementation of this new provision of consent in March, there have been vehement discussions in the internet business about how the provision of consent should be worded, and whether a provision of consent was practically feasible at all.

A discussion about cookies can easily get bogged down in technical details. However, as a somewhat simplified summary, one might say that the operator of a website – and often also the visitor to that website – has an interest in having the website recognise the visitor from time to time. Not only is it interesting to be able to recognise the identity of the visitor, but often it will also be of great practical help. It means that the website – without actually knowing the identity of the visitor – can enable the visitor, on his next visit to the website, to carry his “history” at that website with him. This avoids forcing the visitor to resupply all the information that was provided on the previous visit.

Thus, the use of cookies is often of great practical advantage both to the website and to the visitor. However, the use of cookies is also a fundamental underpinning of the online economy that, in many cases, provides the basis for websites to provide a useful service to visitors. Cookies are used to identify visitors and regularly update their behaviour – all with a view to serving them commercials, in connection with their visit to the website, which provide the best possible match between the contents of the commercials and the profile of the visitor.

The use of cookies is further complicated by the fact that cookies created in connection with a visit to a website are not only saved by the provider of the website and used for profiling, but also by third parties: advanced online media agencies which, via large and sophisticated networks, are able – at least to some extent – to match the visitors’ profiles.

Cookies are thus used both to register information and to profile visitors to websites – irrespective of whether or not the visitors can be identified personally. In technical terms, the use of cookies involves placing a small text file on the visitor’s own computer, which serves to identify the visitor to a few (or even many) websites which the visitor subsequently visits. This is all quite opaque to the visitor, who is usually an unsophisticated consumer with no real insight into what is going on.

Last year, The Wall Street Journal published a very illuminating series of articles about just how prevalent the use of cookies is – in particular, the so-called third party cookies – and how extensive the registration of that information could be; information that will often contain many personal details. It is, inter alia, because of this issue that the new EU provisions have arisen.

In a nutshell, the new provisions require that anyone who wishes to place, and subsequently retrieve, a cookie on a user’s computer must ensure beforehand that consent thereto has been given by the user in question. This consent has to be genuine. The National IT and Telecom Agency refer to “informed consent”, which, without going into detail, means that the visitor shall have an actual and full overview of the consequences of accepting a cookie.

It is probably only the most hard-core advocates of consumer protection who would praise the new provisions as being unproblematic for both providers of websites and their users. Among almost the entirety of interested parties who use the internet, from consumers to the companies that organise e-trade and online commercials, there is an understanding and acknowledgement that it will be very impractical and time-consuming for a user of a website, on each visit, to have to acquaint himself with the terms of each individual cookie that’s used, and then decide whether or not consent should be given. It would simply be too bothersome to be “forced” to read through complicated terms and declarations of an agreement, as often there will be a double-digit number of cookies that are relevant in connection with a visit just to a normal e-trade or newspaper website.

On the other hand, it also does not make sense for the starting point (the “the default solution”) to be that the visitor just accepts all cookies and takes on trust the fair use of every cookie; other sources that became aware of this situation could exploit it. This precise situation has been the starting point for the present legal position in the area, and it is this asymmetry that the new EU provision is trying, with reason, to address – however ineptly.

Therefore, it is in everybody’s interests that a practical solution be found; one based on the clear starting position that the visitor shall give informed consent. However, on the other hand, I realise that it is in nobody’s interests – in particular, not the visitor’s – for the inconvenience of giving such consent (or omitting to give it) to become so considerable that you either do not wish to visit these websites at all, or end up just “closing your eyes” and accepting virtually all cookies blindly.

My suggestion is for a pragmatic and practical solution, based on two simple conditions. First, one should seek help in the technological possibilities offered by all modern browsers today, which permit your preferences to be set in relation to cookies used by the websites you visit, and re-evaluate and adjust your settings regularly, both generally and specifically. Secondly, one should realise that with cookies, just as with so many other areas of consumer relations, it will have to be left to trustworthy third parties to make the choice in such complex areas on behalf of the consumer. The determination of whether a cookie, including a third party cookie, should be accepted is something that the consumer should be able to “delegate” to a trustworthy third party.

The most modern browsers today, notably Firefox 4 and Internet Explorer 9, contain advanced options to allow the browser to accept or reject cookies, including third party cookies, on an individual basis. These options and preferences are, however, still too difficult to use for an ordinary user. And for all users, it will still be too time-consuming to work with cookies, generally or specifically, by adjusting browser settings on a regular basis.

Even though the provisions of the order concerning cookie consent involve not only visits to websites (the provisions are, to a great extent, also relevant in connection with mobile phones, SaaS solutions etc.), the most important challenge at the moment is to clarify the conditions about consent in connection with visits to websites. Here it is obvious that the solution involves the visitor in taking personal responsibility for his choice via the application, i.e. the browser, which he controls himself and uses for visiting websites.

My suggestion is, therefore, that the internet business in Denmark – with the participation of all relevant interested parties – should jointly develop some kind of plug-in or add-on to the cookie settings of modern browsers, which can be downloaded by Danish users and which, as a starting point, can be used in connection with informed consents when placing and downloading cookies. It is obvious that such a solution must be based on open standards and open source, as there must be free access for everybody to improve and develop the solutions. The internet business should jointly specify the requirements for the menus of the application, user choices, GUI etc.

Such a joint cookie wizard cannot stand alone, however. It is necessary to establish standards for which significant choices the visitors should make in connection with the evaluation of whether a cookie should be accepted or rejected. What information is gathered, what is it used for, who uses it, for how long is it stored, etc.? Here, the internet business should also join forces and establish a kind of labelling system, from which a user can get a simple overview of the properties of an individual cookie. Here, much inspiration can be derived from the use of pictograms by the Creative Commons licences, and in Denmark we already have good experience with the use of labelling systems in connection with the e-trade label.

However, it is not enough that the user can make an informed choice on the basis of clear pictograms that describe the most important properties of the different cookies and their extent. It would still be inexpedient for the user to have to decide whether or not to accept every cookie individually, even if the decision were based on clear and concise information. Here I suggest that organisations and companies that might form a relevant part of this process should prepare lists with names (IP-addresses or another form of relevant identification) of websites – maybe even right down at the individual cookie level – which may be planned, for instance, within (for the sake of simplicity) four categories of different properties, extent of cookies and combinations thereof, which the user might choose generally to accept. Users will thereafter choose, according to their own preferences, which organisations or companies they as users consider particularly trustworthy or relevant in relation to their own preferences – everything from e.g. the Danish Consumer Council, the National Consumer Agency of Denmark, FDIM (the Danish Association of Interactive Media), FDIH (the Danish Distance Selling and E-business Association), Dansk IT, DI ITEK, E-handelsfonden (The Danish E-trade Association) etc. – and be able to subscribe to each organisation’s or company’s “white list”, where the so-called approved websites or cookies were listed. These lists should, of course, be available in an electronic format and would be updated regularly and downloaded to a cookie-wizard within the user’s browser, e.g. by subscribing to an RSS-feed.

Then, one could envisage that the cookie-wizard would adjust the browser in such a way that, as a starting point, the browser would not accept third party cookies, or maybe any cookies in general, as the user would give individual consent for the storage or access of a cookie. The consent would, however, be given in an ongoing manner, without the user’s intervention, to any site in the downloaded white lists. If a website, or a specific cookie, were to be found in a white list, consent would automatically be given. If not, the user would be asked specifically whether or not consent should be given.

Thus, the suggested solution would not be an “opt-out” solution, but in reality an “opt-in” solution, as the default setting of the browser would be to “not accept”. The user would, however, have made a decision initially to “opt-in” – i.e. consent – to the websites and specific cookies that a trustworthy third party had placed in a white list.

The suggested solution assumes, of course, that such a cookie-wizard, with one or more white lists that are updated regularly, is technical possible. I believe it to be so, but I have not checked this in detail. But, as always in connection with IT, where there is a will, there is usually a way.

In my opinion, the suggested solution has much in favour of it. First of all, it is based on the overall principle that the user gives informed consent before it becomes permissible to place and to access cookies on the user’s computer. At the same time, it should be ensured that the user is still in full control of the choice about accepting cookies, as the cookie-wizard under discussion should not only provide the ability to accept and allow access to cookies on the user’s computer via white lists, as discussed, but also subsequently allow the user to view and perhaps delete the cookies that it has accepted. In these situations, the user would specifically be able to “overrule” a white list and/or make overall changes to his settings.

A solution seems, then, to create a balance between providing the user with full control over cookies whilst still allowing visits to websites to be made practically effortlessly.

On the other hand, I think that the suggested solution will be of great advantage especially to Danish companies that are affected by the cookies provisions, either because they run a website themselves or because they use cookie technology to sell products and place commercials on others’ websites. It is undisputed that the lack of transparency, and thus uncertainty, in connection with the use of cookies today makes users nervous. The general use of cookie technology is thus surrounded by a certain antipathy amongst users. If this uncertainty is not addressed, it must be expected that the uncertainty and discontent will increase, and that this will have a negative impact on the effect of using, and the ability to use, cookies in connection with the placing of commercials. The suggested solution will thus generally bring more confidence and clarity into the system, which must be of positive interest to all parties.

However, what must be even more interesting for the companies in question – the vast majority of which, luckily, are serious and professional organisations – is that the suggested solution could become an effective means of preventing frivolous or maybe even fraudulent players in the market from spoiling things for the abovementioned serious, professional and law-abiding participants. If the serious and law-abiding players jointly put forward criteria for the use of cookies, and the information they contain, together with other relevant interested parties, and thus establish some sort of labelling system à la e-trade label, then such a system would entail precisely these serious and law-abiding players having their websites and cookies placed on relevant white lists. Then it could be expected that, for all users who use the proposed solution, the default setting of not accepting cookies (i.e. third party cookies not included in a white list) would act as an effective filter of all the frivolous and possibly fraudulent players. The shadier part of the advertising market would thus have a hard time, whilst the serious part would be able to improve its market shares significantly.

A challenge in connection with the suggested solution would be the handling of foreign websites that are serious but that do not comply with the European provisions about consent in connection with cookies, and which therefore will not be found in the white lists in question. For instance, the majority of – or maybe all – foreign news websites would be picked up by the default setting of the browser, which would be not to accept cookies, unless the website were included on the white list. This would be to the annoyance of Danish users, and would maybe even lead many users to return to their browser settings and choose to accept all cookies by default, including third party cookies. Such a situation would undermine the suggested solution. One way of handling this challenge initially, in connection with visits to these news websites, would be for the user to click “accept” to all the cookies that may be presented, when the default setting of the browser was not to accept cookies. In this case, the news websites in question would be added to the user’s own personal white list. However, such a solution would often be inconvenient, as it would require the user to “click through” all news sites.

Another solution could be that other trustworthy third parties, e.g. including a user’s friends, could exchange revised white lists. However, it is obvious that if these white lists with websites that do not comply with the EU cookie legislation were to become too widespread, it would be to the detriment of the whole idea of a Danish labelling system.

It is obvious that the solution suggested above is only an outline. Of course, there are many aspects that are unclear, such as whether the solution can even be implemented technically. However, I would strongly recommend that a solution of implementing the cookie directive requirements of informed consent should be made based on principles that involve technical solutions at browser level on the one hand, and informed consent being given on the other, with the consent being delegated to a trustworthy third party.

Related articles

• Denmark: first country to implement “cookie”-directive. Here’s the proposed executive order. (jon-lund.com)
• The EU vs Cookies Round 2 (epiphanysolutions.co.uk)
• New E-Privacy Directives – It’s all in a Cookie (convonix.com)