Cookies do many things, all of which are useful to someone, many of which may be in contradiction with the end user. They can be complete security risks, and internet behemoths like Google have and continue to work on browser standards to reduce as much as possible such issues. (See, for example, https://cookiepedia.co.uk/Content/ChromeUpdates). Browsers allow control of cookies, but the approach is pretty brutal today; using the browser to do this can make the user experience frustrating every time you revisit a site.
Bottom line is that cookie management for the end user is complicated, boorish, and riddled with issues. One of which is HOW vendors are implementing GDPR cookie compliance on their site.
As a result, pretty much whenever you visit a website today, a cookie consent system pops up. And here’s the tension. There is no standard for these things. Some websites don’t allow you to avoid marketing cookies but only allow you to choose (often from a very long list) which marketing ‘partner’s may receive your data – obviously more related to CCPA than GDPR. Some websites provide a simple solution with only perhaps three options – Necessary, Performance, Marketing – more aligned with GDPR.
There’s an obvious cynicism built in to these solutions. Given that most users won’t know what they’re looking at, set the defaults to ‘accept’, provide lots of buttons to enable ‘deny’ and confuse the user into just hitting the fewest buttons possible – usually the ‘accept all’. User consent achieved, marketing happy, value to user privacy nil.
This is obviously a personal thing – I don’t like the internet to take advantage of the uneducated user (and I don’t like having to make a dozen cookie clicks before reading the website). But it highlights a couple of things that will only grow in importance as privacy regulations expand both in reach and control.
What Can Be Done?
Firstly, we need a standard for cookie management tools. They need to look similar, offer similar options. Diversity in this case is not competitive, it’s confusing and it makes users make mistakes to the detriment of their privacy.
Secondly, we need a standard for cookies, similar to the third party cookie, that flags a cookie as a type, and allows users to set their type preference in the browser. Users can then ‘set it once, use it many times’, reducing frustration and mistakes. Cookies that aren’t flagged can then be dealt with individually by a standardized tool set (see above).
Thirdly, organisations need to consider whether they really need a complicated cookie structure. Especially informational as opposed to commercial sites. Minimize the cookies you have – just because you think it’s a good idea, doesn’t mean it’s necessary. Yes, if your income model is based on adverts, then users should choose targeted vs non-targeted. But if you don’t have a real and present need for a function, don’t implement it. All you’re doing by gathering data you don’t NEED is building risk for yourself and your users in a time when privacy regulators have teeth and attackers have a thousand ways of exploiting badly implemented cookie systems.
Cookie control is part of both an organisation’s brand and responsibility. Get it wrong in terms of the UX and users won’t think well of the organisation. Get it wrong in terms of design and attackers will thank you. The answer? As always with security and privacy – use the ‘need’ test for deciding what you do, put your customer experience first, and as much as possible, contribute to a discussion with browser vendors and regulators about standardizing how these things work.
Users will thank you for it.