Since then we have all grown used to a crappier Internet, where users routinely dismiss popups without reading them. The result has been wasted time, smaller screens, and precisely zero improvements to privacy.
Now the UK body responsible for policing these laws has published new guidelines on how we must comply. In short: we’ve been doing it all wrong.
It's all about things that you can’t do:
1. No non-essential cookies until you ask first
This means no Google Analytics, no Facebook buttons, no comment boxes, no social plugins, and no tracking pixels unless the user has explicitly chosen to enable them first. To give you a compliant example, the ICO uses this cookie sidebar:
Note how their option for analytics is turned off by default, which is also a requirement:
In practical terms, this makes analytics worthless in the UK, as almost no-one is going to opt in, and you won't know what percentage of your visitors did.
2. No emphasizing “Accept” over “Reject”
Nearly every cookie solution ever emphasizes accepting over denying cookies. The ICO explicitly says this is not allowed: "A consent mechanism that emphasizes ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach".
(image source: ICO)
3. No denying access just because you don’t accept cookies
Many websites block access until a user accepts their cookies. Under the new guidance, this is expressly forbidden. You must provide access to your service without cookies, unless the cookies are technically required for it to function (e.g. for login, or a checkout).
Together these changes should help privacy, but they’re going to be an absolute nightmare for website owners, and we’re sceptical how they’ll work in real life.
The way that you make websites, and the way you ask for cookies will have to change completely. Let’s break it down.
How everyone used to comply and why that won’t work
The big change here is you absolutely cannot set non-essential cookies when a user loads a page. This is pretty much what everyone on the Internet does now, and changing this is a serious challenge.
Secretly though the website itself was never changed. It still used cookies. Adding a banner or popup is relatively cheap and easy, but modifying your website to not use non-essential cookies without consent is much harder.
The problem is down to the way webpages work. There’s no copy-and-paste plugin someone can add to their website which blocks cookies. In most cases, you’ll need code on your server, which means your website and your CMS will need to be modified by a programmer.
Programmers cost a lot more than copying-and-pasting a plugin.
Say your website uses Google Analytics and Facebook Share buttons. Because they are non-essential, these plugins will need to be removed until the user has chosen to enable them. This means parts of your pages will need to work with and without these features, and will need new interfaces to enable those features.
Because Google Analytics and Facebook exist for separate reasons, the user is now required to choose to enable one and not the other. This means users will need to see a list of these providers and approve them individually. Options can’t be pre-checked, and must be freely given, so your current “Accept recommended cookies” splash screen won’t cut it.
Asking your users to check a lot of separate, optional settings upfront is never going to work. We can see a better way, although it probably won’t happen.
How this could work, in an unlikely but delightful utopia
Websites could copy how our phones work.
If you use a mobile app, and it needs permission to do something, it asks you once, like this:
Your choice is remembered and you can review it later if you like. You’re given total control and crucially this request is made only when consent is needed, not up front.
Of course an app could ask you for permission up front, but most apps aren’t that stupid: they know if they harass users without good reason, the user will say no.
In time, if this approach became commonplace, we could see browsers implement it as a standard, and give users controls to accept and review their privacy across all of their websites. This would save web developers time and enforce privacy for everyone on a technical level.
Yeah, we probably won’t be this lucky.
How cruel, cold reality will probably work
At first, nothing happens. This is a nerdy clarification of an existing law, how many people will even notice? It’ll likely take heavy fines before people will care to go through the whole process of “cookie-lawing” and “GDPR-ing” their websites again.
However detecting people who don’t comply will be very easy. Do you use Google Analytics when we load your page? You’re breaking the law. Expect a whole tonne of automatic spam email along these lines.
When the fines do arrive, organizations will scramble to patch technology that doesn’t currently allow them to comply. You think your website is old? Your bank’s website is running on Windows 1892 Coal-Powered-Edition.
The quickest, dirtiest solution will be to direct users to a static splash page where they must accept all cookies to continue. This isn’t really compliant, but it will pass automated checks and is technically feasible for mass distribution, which in reality is what usually wins.
The result will be anyone requesting a webpage will likely get a splash screen. They’ll be asked to either leave or accept all cookies because “It is not technically feasible for us to offer more granular controls at this time”. These screens will be slow, expensive, inhibit sales, and make many technical actions more complex (e.g. crawling, SEO, sharing links). Cookie banners apparently cost the EU €2 billion a year; these will cost many times more.
Facebook, Google are so essential to so many people that they’ll be able to persuade their users to accept anything. New companies, looking to compete with them, will not.
Meanwhile the average user still doesn’t know what a cookie is, and blindly clicks on the Accept button.
The ICO has just handed out two fines for £99m and £183m. Those are stand-up-and-take-notice figures which show they’re prepared to enforce GDPR seriously. Their head of technology policy just said “Cookie compliance will be an increasing regulatory priority for the ICO in the future”.
The intent of the law was to protect privacy, which is a Good Thing. In an era where Mark’s Zuckerberg’s nanobots are hiding in your bathroom mirror  we could all use more control over our privacy.
Let’s just hope they figure out a practical solution that works this time. So far we fear the only people benefitting from this law are those being paid to implement it.