The future

We've looked into our cold crystal ball, and this is what we saw.

Browsers won't fix anything

Officially we've heard a lot of talk about browsers changing in a way that means websites don't have to. We'd argue this is wilful bunk, and never going to happen.

We know why the theory is popular - because this change appears to involve the least disruption possible. It's easier to update a web browser than rewrite all the affected websites in the EU.

But in reality you'd be asking for two incredibly unrealistic things:

1. Browsers would have to willingly make their browser more annoying. If your web browser starts asking the user to confirm every website that uses cookies, then your web browser is going to suck - at least as far as the user is concerned. If Internet Explorer 10 - say - added this feature, a lot of people are going to choose to stick with something else.

Even if they did do this, we'd expect an explosion of plugins or options to disable the ridiculous new feature, as users would utterly detest it.

So unless all the major browsers were forced at gunpoint to do this, they'll almost certainly stall and put out weak half measures, or ignore the problem entirely. Which is exactly what we expect.

2. Almost everyone would need to upgrade their browsers. Ten years after it came out, 10% of the world still use Internet Explorer 6 - a clunky, insecure piece of crap - even after Microsoft themselves have run a massive advertising campaign saying "it's time to say goodbye to IE6". Some organisations simply refuse change, some have no choice if they want to run old software, others don't care.

In this case the circumstances are much worse - no browsers currently exist that are compatible with the new law. So instead of getting people to upgrade from just one browser (IE6), we would need almost everyone to upgrade to a new browser. Every company, home and mobile device. Good luck with that.

There's only one vaguely viable solution we could see working, and it looks like this:

Upon loading your new browser, it detects that the user is in the EU, and explains the new law to them. Probably in a detailed manner that satisfies EU legal experts, but completely goes over the gnat-like attention span of the average user.

The explanation concludes with two options:

• I agree to opt in to all evil cookies forever and ever.

• Let me agree to cookies on a site-by-site basis.

If the user chooses to opt in, they get the Internet like they always have, and the law is essentially a joke.

If the user doesn't opt in, they see a popup or similar on every website they visit that uses cookies, asking them if they want to allow that cookie. Or if they'd prefer to opt in to all cookies, and never see this question again, which of course they will do pretty soon afterwards.

"Browser settings may only deliver consent in very limited circumstances. Notably, if browsers are set up by default to reject all cookies (having the browser set to such an option) and the user has changed the settings to affirmatively accept cookies, for which he has been fully informed about the name of the data controller, the processing its goals and the data that is collected"

EU Data Protection Working Party, 2010

This scenario depends on a questionable interpretation of the law - certainly in spirit, it accomplishes almost nothing. And of course you'd still have the problem that people still have to upgrade to this new, monstrous browser, which would take many years.

In the meantime, website owners will be expected to do something.

Analytics companies have a hard time ahead

Nearly all existing analytics software relies upon cookies that expressly do what the law prohibits - they track visitors without consent. We see them as one of the greatest losers under the new law.

Because they're generally large and affect a lot of people, they're also obvious targets for complaints. Even if they themselves are not accountable, their clients are - and no-one wants to sell a product that their clients get sued for using.

So we expect analytics companies to introduce new options to accommodate for the law:

1. A no-cookie option, possibly only applying to users located in the EU.

2. An ask for permission option, which would automatically display a popup or accordion asking users to accept cookies.

3. A query parameter option, which passes a tracking session in the URL instead of via cookies. There are countless problems with this, not least copy & pasted URLs being shared.

In all cases, the software would gather less data and have to deal with a confusing mix of cookie and cookie-less data, complicating their software.

We suspect analytics companies will also continue to provide an option which leaves their software as it is now, but with the blame for this firmly in the hands of the website owners. That may be their saving grace.

The biggest infringers may just ignore the law entirely

The people most under threat by this law are generally the advertisers, media, analytics and social media companies. Their businesses depend on cookies, and they won't give them up easily.

In the UK we spend more on online advertising than we do on TV. Losing cookies would mean losing targeted ads, which is essentially the greatest advantage that the booming internet advertising has.

For newspapers and other media struggling to eke out a living on internet advertising, the law is poison. We're pretty sure they won't willingly start serving popups over all their articles asking users if they mind being tracked either.

The maximum fine in the UK is currently set at £500,000. Google nets over £3 billion a year from advertising in the UK alone - they might be wise just to cut the EU a cheque.

The law will be weakly enforced for most

The UK acknowledged that technical solutions to this law don't really exist yet, and that insufficient time has been given for them to come about. With 24 of the 27 member states not yet having even published laws, we assume no-one will be prosecuted until at least 2012.

When they do, the regulator is likely to play it soft at first: asking the offenders to take positive steps towards compliance, and exacting the absolute minimum of financial or legal penalties possible. This still means people will be forced to comply, but they're unlikely to suffer much beyond having to do the work necessary.

If we look at the figures for other Acts the UK regulator (the ICO) has regulated for some time, this is what has happened historically:

There is no guarantee that the e-Privacy law will be enforced in a similar way, but if so it appears prosecutions and financial penalties are an absolute last resort. However, it also suggests that tens of thousands of organisations may at least be ordered directly to comply with the law.

Query parameters will rise

We believe that query parameters, like this:

www.example.com/?session=1234

Allow for websites to continue to track users whilst still technically not falling foul of the law (this isn't true for other technologies we've researched). The alternative - requiring consent for query parameters - is too mind-bendingly stupid to contemplate.

Although they aren't a perfect substitute for cookies, they allow many of the same things - particularly tracking visitors around a website, and as such we expect to see them rise.

Of course query parameters are a horrible solution to this problem, being less secure and user friendly, but they may become de facto loophole around the whole charade.

Extra work and another fad to follow

Web developers rejoice. The public sector are publicly obligated to abide by the new law, and will likely commission new software and web development to satisfy it.

Large companies are likely to modify their procurement rules, if only to be seen to be 'working towards compliance'. They may require their suppliers to meet the laws in future.

Depending on how much attention it gets, this law could filter down to smaller websites, but we doubt it.