A UX Disaster: Can We Solve the Cookie Crisis?

Paul Boag

Cookie notification overlays are undermining usability (especially on mobile) while also wholly failing to secure improved privacy.

Excuse the melodrama, but I am coming to believe that the European Commission is destroying the web one good intention at a time. Or more specifically their desire to protect our privacy online has resulted in unforeseen consequences in the form of an explosion of cookie and privacy overlays.

In fact, I would argue (and I know this is more melodrama) that from the perspective of your average user, the cookie crisis is more damaging to their daily experience than the demise of net neutrality.

Yet you hear little or no organised resistance to the insanity of cookie notifications in the same way you do towards net neutrality. Instead, we have all just rolled over because the underlying intentions are good.

Let me be clear, they are good. People should have control over how much sites can track them and what information they can collect. What the European Commission is trying to achieve is admirable. However, as it currently stands they are not only failing, they are making things worse for the majority of people.

In this post, I want to explain why they are failing, how they are making things worse and then talk about possible fixes.

At this point it is probably worth saying that this article has been heavily inspired by a post written by Troy Hunt entitled, These Cookie Warning Shenanigans Have Got to Stop. I highly recommend you check that out.

As I understand it, the European Commission aims to empower people and put them in control of what data can be collected about them online. However, I think it is fairly clear at this point that displaying a cookie and privacy policy notification is not achieving that goal.

Many websites may be complying with the letter of the law, but they are certainly not complying with the spirit of it.

By overwhelming users with technobabble, legal jargon and a myriad of options, companies know damn well that users will not have the time or inclination to make informed decisions. Most users are simply clicking yes and moving on.

A collection of different cookie notifications.
The current approach to cookie notifications seems designed to overwhelm the user. There is no consistency of approach and nothing to guide users to make informed decisions. Not to mention it is devistating the user experience of nearly every website you visit.

But even if we were to imagine a magical world where users did make an effort to read every privacy policy and examine every cookie a site is using. Let us also assume that the users had degrees in computer science and law. Even then cookie notifications would fail to solve the problem for which they have been designed to address.

Sure, advertising networks currently mainly rely on cookies to track a user between sites. But that is not the only tool in their arsenal. There are other ways a user can be uniquely identified and tracked.

Screenshot from amiunique.org
Am I unique perfectly demonstrates how easy it is to track an individual without using cookies.

By combining various factors such as your browser version, operating system, language, resolution and other detectable characteristics it is perfectly possible to uniquely identify you and therefore track you across multiple sites.

However, it could be argued that doing something about these invasions of privacy is better than nothing. Unfortunately, the cost to the user experience is so high that this particular something is not our best option.

If you mainly access the web from within the European Union you will already be aware of the cost of cookie notifications to the user experience. But, if you are lucky enough to live elsewhere, let me give a sense of how bad things have got.

Techcrunch's privacy notification.
Few users are going to wade through privacy policies of manage their cookie options.

In his post on cookie notifications, Troy Hunt uses Techcrunch as an example of just how bad things can get. Their privacy policy runs at over 3000 words and it is a labyrinth of links before you can get anywhere near setting your privacy settings.

When you do finally get to the settings, you are confronted with 224 different ad networks that need configuring individually.

But that is not the worst part of the user experience. It is the fact that on every website you visit you are confronted with one or more overlays you have to close.

Each and every website involves closing at least one overlay before you can view the content. Also, it is not unusual to have to do this multiple times for each website over subsequent visits.

Now, this is annoying on a desktop. It feels like death by a thousand cuts. However, on a mobile device, it can make some sites unusable. I regularly encounter sites where you cannot close the overlay for some reason, or the overlay takes up so much real estate you cannot see the content of the site to decide whether you want to proceed or not.

In short, for mobile users, the web has become a huge game of whack-a-mole as cookie notification overlays spawn and need to be agreed to.

What then can we do about all of this?

There are no easy answers, and I am certainly not setting myself up as the person to solve what is a very complex issue. I am not a lawyer or particularly technical.

This is going to take smarter minds than me from many different disciplines including, but not limited to:

  • Advertisers.
  • Developers.
  • Lawyers.
  • Policy makers.
  • User Experience specialists.

That said, I do begin to see some possible ways forward that are at least worth exploring. In particular, I want to look at how we could solve this long term and what you can do immediately on your own website.

Let’s start with the a possible long term fix.

Potential Long Term Fixes

Unsurprisingly I found some alternatives to cookie notifications already being proposed. One that got my attention was Do Not Track, a standard created in the states that allowed users to specify their preferences at the browser level.

The idea only gained limited traction, in part because there was little incentive for websites to honour user preferences. However, I believe there might be potential in the underlying concept if properly implemented and if website owners could be properly motivated to implement it.

First, I would suggest that the choice of settings would need to be slightly less binary than it currently is. As it stands Do Not Track only offers to opt in or out of tracking. I am a great fan of simplicity, but if we want advertisers to respect it, and for websites who rely on advertising, to survive, it might be necessary to provide a little more flexibility.

Screenshot of Safari browser settings
If websites could be encouraged or forced to comply with user preferences at a browser level it would avoid the need for on screen notifications.

Second, and most importantly, website owners need to be motivated to implement it. Government mandate is one way, but I have little confidence in their ability to do so effectively.

Another solution would be for Google to weigh in. If they introduced Do Not Track compliance as a factor in their algorithm for ranking, most website owners would fall in line.

Admittedly, Google relies on advertising themselves. But, they also value performance and usability, which cross-domain tracking can impact.

However, even if we could not get a system such as Do Not Track to work, that doesn’t make cookie notifications the only option.

What about requiring website owners to display privacy and cookie information in a consistent standard, like Schema.org? That way browser manufacturers could build a way for users to look up privacy data into the browser so providing a consistent experience.

Mockup of in browser cookie notifications.
Some kind of in browser privacy notification would introduce some consistency to the user experience and free up valuable real estate.

Of course, these are possible long term solutions to a very complex issue. Even if a viable alternative was presented I don’t see the European Union changing its current recommendations anytime soon.

So what can we do as website owners in the meantime?

What You Can Do Now

The biggest problem with cookie legislation is that most organisations are intimidated by it. They are afraid of getting prosecuted and yet don’t really understand what the requirements are.

Part of the reason for this is that a lot of the legislation is open to interpretation. As I said, I am no lawyer and so not an expert on the subject. But, as with any legislation, the wording is crucial.

For example, cookie legislation requires that a site gets prior consent from the user to use cookies, but what does that mean? How do you have to get consent? What does prior mean in the context of a website? Although there is government advice, there is little definition in legislation.

Currys in the UK have decided that they can comply by using an inline message rather than an overlay that takes up valuable real estate on mobile devices

These are the kinds of decisions companies are having to make and on the whole, most organisations go with a ‘follow the crowd’ approach. If you do what a lot of others are doing surely, you won’t get in trouble.

That is understandable, but not all websites are the same and neither are all users. An overlay may indeed be necessary for some sites in some situations, but that doesn’t mean it is for yours.

For example, it may be perfectly acceptable to place the cookie notification inline, rather than as an overlay.

UK retailer Marks and Spencers seem to have concluded that they don’t need a cookie notification.

Also, it may be that your site doesn’t require a notification at all because the cookies you are using do not fall under the legislation. For example, if all you use cookies for is to enable necessary functionality and they don’t identify individual users, then a notification might not be necessary. That is why you don’t see a cookie notification on this site, but instead a plain language privacy policy.

It is also worth noting that it is improbable that a government body will prosecute a company for non-compliance without any warning. Instead, they will receive notification that they have not complied and that will give them time to rectify the issue.

Ultimately this is all about risk management. Companies need to balance the risks associated with non-compliance with the damage to user experience and by extension conversion rate.

The problem is that at the moment these decisions are being made almost exclusively by legal, and by their nature legal teams are going to be conservative. After all, they will be the ones fired if the company breaches regulations!

Instead, this needs to be a bigger discussion, not a decision made by legal alone. I would encourage you not to blindly accept the ‘rules’ laid down by legal but instead discuss it with them. Seek to understand the legislation wording better and work with them to explore different possible approaches. Nothing is ever as black and white in compliance as it first seems. There is a conversation to be had.

As Khoi Vinh explains, we need to put the same effort into creating a great user experience when designing privacy controls as goes into the rest of the interface. The Times newspaper does a surprisingly good job at this.

What the Future Holds

In many ways, the current situation around privacy reminds me of the early days of accessibility. To begin with, nobody knew what disability legislation really meant. Then people settled on implementing WAI Guidelines.

However, for a long time, this was nothing but a box-checking exercise. If it passed some WAI automated checker then you could call yourself compliant.

Today thinking has moved on and we know that just implementing the letter of some guidelines does not truly make an accessible experience.

I believe the same is true for privacy and cookies. We should focus on applying the spirit of the law rather than ass-covering. We should be seeking to empower users by being transparent, giving them control and asking for prior consent. That is far more productive than spamming them with overlays they cannot understand.

Stock Photos from Steve Cukrov/Shutterstock