Five Years of Cookie Law: Politicians’ good intentions and incompetence create security, privacy nightmare

Posted on May 23, 2016 by Rick Falkvinge
Share Tweet

Five years with the “cookie law”, taking effect in 2011, shows how politicians’ good intentions – when coupled with incompetence – can create a security and privacy nightmare. It was supposed to give users choice, privacy, and security. Its effect, over and above causing developer facedesks and headaches, has been the exact opposite.

In 2009, the European Parliament adopted an amended Directive on Privacy and Electronic Communications. The major new thing in the 2009 amendment of these rules was something called “consent for cookies” – requiring all users to agree to cookies being stored onto their computer from all websites.

It’s important to remember that this legislative directive – the European equivalent of a federal law – was voted on by people who get their e-mail printed for them by secretaries, and therefore believe they understand what this Interwebs thing is about. No, seriously. That’s actually what the European Parliament looks like still, and most certainly looked like two terms ago (early 2009).

The overall idea was that users have to give consent for tracking cookies to be placed on their computers – overall, to give consent to being tracked. But the nature of websites by 2009 was already past using cookies for tracking only; cookies are being used for the entire interaction with the user, from authentication to preferences. Even something as simple as a WordPress blog places cookies on every visitor’s browser (although most blog admins disable this for performance reasons).

In any case, requiring opt-in for this in the website interface, as opposed to in the browser options, has created a privacy and security nightmare that will take decades to undo. This is what happens when good intentions meets technical incompetence.

The only net effect of the cookie law is that every user has been conditioned to click “Yes, I agree” on any popup that appears when they go to a new website.

As these cookie consent dialogs take vastly different shapes, the average user won’t be able to tell a “Allow cookies? Yes/no” dialog from a “Install malware? Yes/no” one. And hence, political incompetence has created a privacy nightmare for the masses.

Privacy remains your own responsibility.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.

VPN Service

Comments are closed.


  1. Mark

    Billions of euros wasted – when it is simply a matter for the user to turn cookies off in the browser if they don’t want them. 99.9% of all websites use some form of cookie. What a ridiculous useless and overreaching law this is.

    I totally agree with the author that instead of making privacy better it has actually made things far worse for users and domain owners and sadly how well intended the octarians that decided it meant – it will take decades to unravel the damage done.

    Try to turn off cookies in your browser and use sites like amazon, facebook etc. Cookies are important to a lot of the functionality and smooth running of sites and are not malicious or dangerous to a user.

    Unbelievable this useless EU law ever saw the light of day.

    4 years ago
  2. agtrier

    Not quite: I worked on several web sites that ditched everything that set cookies because that was easier than implementing a cokie consent kit. Of course the site owners complained about the “stupid cookie directive” but I think their users got a better deal this way.
    Now, this is of course not the way to go for a large, ad-financed site, but does every little shop site need to have embedded 3rd party tools all over the place? Methinks not.

    4 years ago
    1. Falkvinge

      Probably not. And yet, these “consent” dialogs quickly appeared as ready-to-use JavaScript kits, now everywhere.

      4 years ago