What shall we do with cookies?

Recently, at European level there has been a discussion concerning the adoption of an opt-in system in order to install some kinds of cookies on users’ computers. Cookies are small files that are automatically installed on your computer every time you connect to a website. When talking about cookies, the opt-in system consists of requiring users’ express consent before installing this type of files on their computer. Article 29 Working Party has adopted a strict interpretation of the notion of consent in these cases.

However, it seems to me that it could be desirable to slightly change the approach, in order to improve the coherence between technology and legislation.

We cannot expect users to read a whole page on cookies or privacy policies. This approach is excessive and may not be effective.

It is a well-known fact that information overload causes the opposite effect. The online environment is characterized by its dynamism and its internationality; therefore, this could be the moment to self-reinvent ourselves.

We cannot lose sight of the fact that a user browses the Internet looking for information he/she barely stops to read a few lines from each page until he/she finds what he/she looking for. People are used to browsing with their smartphones, laptops or tablets on journeys or while waiting for a train. Increasingly, the general trend is to be online everywhere, at every moment and with any device.

Those five minutes on the Internet should not be wasted reading lengthy privacy policies, cookies or complex technical requirements. This is not the way to proceed, and moreover, the international nature of the network creates situations where the opt-in system could be a useless practice.

For example, when we access a website from another country and the legal notice is in another language or when the recipients of the information are minors. In these cases, the information provided is basically useless and only disrupts our Internet browsing. To avoid these situations and ensure that privacy rights are respected without reducing easy browsing or simple access to information and technology, the Commission could establish an identification system of cookies or privacy policies by using symbols, icons or illustrations.
In fact, this system has already been applied at European level through an age limitation system, by using symbols on movies and video games and it has worked very well to date. (http://www.pegi.info/es/index/id/96/)

Furthermore, by clicking on icons users could access a website supervised by the Commission (available in all UE languages) with a very simplified and schematic explanation about the different types of cookies or privacy notices. This would prevent users from having to read lengthy legal clauses and knowing straight away what information is being collected, by whom, how it is used and if it is being shared.
Additionally, where symbols do not match with reality, the website could be reportable and penalized, following the United States scheme, in which the Federal Trade Commission considers misleading notices on websites an unfair and deceptive practice.

In the same way, as happened with Incoterms and signage, this could offer a direct and friendly system of symbols that users can easily identify regardless of their nationality or age.

The supervisory authorities could be in charge of the deployment of this system in their respective territories, and users could start to familiarize themselves with the symbols. At the same time, it would be desirable to strengthen education about the Internet in Schools, since the best safety measure will always be prevention.
Regarding the prior consent requirement before installing cookies (opt-in system), first of all, the standardization and distinction of the different types of cookies is required. Considering the interesting report published lately by ENISA http://www.enisa.europa.eu/activities/identity-and-trust/library/pp/cookies/, we can appreciate that there are multiple types of cookies. It seems that the main distinction could be established between functional cookies (where prior consent is not required) and advertising/analytical cookies (subject to opt-in consent).

Naturally, in both cases it would be appropriate to provide users with basic information about cookies, which could be disclosed through the abovementioned symbol system, and also the possibility of opting-out.

In the case of prior consent (opt-in system), the best solution could be privacy by design and by default, two concepts already included in the draft of the new EU Data Protection Regulation. These concepts should preferably be applied to browsers, not to websites. In fact, some interesting initiatives already exist and some browsers have already successfully implemented this approach.

It has always been difficult to match up technology and law. However, it might be worth trying to undertake this challenge by seeking greater simplification and keeping in mind that 98% recipients of legal notices are not privacy experts.∗