Browsers to the Rescue?

One of the areas of the new cookie law that has been most confusing for many people is the role, or potential role, of browsers in the consent process.

The EU Directive makes mention of browsers as being viable solutions for obtaining consent, and in the UK the regulations state that “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent”

So although browsers are not the only way to signify consent, they are given special mention, indicating that this might be seen as a preferred method. 

In addition the Department of Culture, Media and Sport who are responsible for the UK legislation, have repeatedly stated that they are actively working with browser manufacturers on enhancing functionality so that browsers can be used as a default consent mechanism.

This tells us that it is both a preferred route, and that current browser functionality is not considered enough for compliance. Which the ICO have themselves affirmed.

On the face of it this seems like a perfectly logical approach to take.  Making changes to a handful of browsers is a lot easier than making changes to millions of websites.  It would also be a great way for web users to have a high degree of control over their privacy regardless of where a website or its owners are located, which is the whole point of the law. 

However, in practice there are a number of significant barriers to this approach.  Whilst none of these is insurmountable, I certainly won’t be expecting the white knight of a cookie law compliant browser to come galloping to the rescue any time soon.

First off, compliance is the responsibility of the website owner, not the visitor or browser manufacturer.  So even if there were compliant browsers, the website would have to be able to detect whether or not pages were being delivered to one.  If not, then the website would have to take responsibility for getting consent anyway, or delivering a cookie free experience.

So the existance of compliant browsers does not itself mean websites can afford to do nothing to satisfy the regulations.

Secondly, a compliant browser would have to have information about cookies passed to it by the website that is not currently part of the information set that cookies contain.

In order for users to give informed consent, they need to know what data a cookie is collecting, and what will be done with that data.  So you not only have to set up a browser so it can read and display that information to the user – the website has to be set up to pass that information across.  To do this, you need to either fundamentally change the nature of cookies so they can hold this data, or you have to create a new standard for passing it from website to browser.

Both of these approaches are not inconceivable – but would require universal agreement on changing worldwide technology standards.  Such agreement could take years to achieve, even before the new standards could begin to be adopted by websites en masse.

Thirdly, there is the issue of upgrading to the new browser.  Whilst people have got used to more regularly updating their browsers, significant numbers often remain 1 or 2 generations behind the latest versions up to a year after they have been rolled out.  So even after ‘fully compliant’ browsers are released, websites will need to maintain their own compliance processes for several years.

And finally, beyond all the technicalities, there is the issue of the potential conflict of interest. The major browsers are owned or financed by businesses that make billions through targeted advertising.  Which makes them part of the very group that stand to lose the most from the new regulations.  It is the online advertising industry that has lobbied hardest against the cookie law.

The reality is that, whatever they might say in public about protecting privacy, their greater commercial interests are served by collecting data.  It therefore stands to reason that unless they are legally obliged to comply with the regulations, they are extremely unlikely to act against those greater interests.  Which is entirely correct behaviour for any business.

It is for all these reasons that we believe a wholly browser based approach to cookie law compliance will not deliver the solution that many are hoping it will.

Like it or not, it is up to the web design and development industry to deliver the solutions that website owners need.  Solutions that the site owners need to start demanding now if they are going to be delivered in time.