How the EU Cookie Law puts lives at risk

To me, web design is not about .js effects, Photoshop mockups, or fancy plugins. It is about public service. I view web design as a means of helping charities and organisations to promote themselves, reach their target audiences, and increase funding sources through smart use of their online resources. My role is to provide service, strategy, and sustainability: not artistic pretence and flashy effects.

It’s no wonder, then, that I have found so many reasons to object to the EU Cookie Law as administered in the UK by the Information Commissioner’s Office. Like all finger-wagging nannies, these two bureaucracies insist on inserting themselves into our projects, regardless of scope or purpose, because they know better than we do what is in our own interest. In essence, I become obliged to bend my services for the client to meet the demands of the bureaucracies. Yet it has been obvious from the start that these particular bureacracies are staffed by theoretical purists who do not use computers, full stop, much less work on a daily basis with the codes and technologies which make good web design possible.

They literally do not know what they are talking about.

And just to complicate things even further, the ICO made a 180° turnaround of its official guidance for legal compliance on the very day that the law went into effect. This revised information was not released to the public until after site administrators had spent countless hours implementing compliance solutions based on the previous round of guidance. (The metaphor I used at a conference to explain this would be if the Home Office changed your visa rules after your flight had landed at Heathrow.) The previous round of guidance stated that consent had to be granted for all cookies, even the ones essential to a site’s background operations, while the current guidance recategorises those cookies under implied consent. Rather than re-doing their work from scratch, many site administrators have simply left their compliance strategies in place reflecting the previous guidance. In other words, many of the cookie boxes and popups vandalising your web experience do not actually need to be there, and many of the compliance interrogations forced upon site users are utterly unnecessary. But a lot of web designers haven’t gotten that message yet – after all, why would you assume a law would change on the day it went into effect?

Very early on it became clear that in some client projects, this inconsistency was not just a technical headache borne of a professional affront. For organisations whose web sites need to reach people who exist on the fringes of human dignity, rigid and excessive conformance to the demands of the EU Cookie Directive can put that dignity – and possibly those lives – at risk.

The first example I will use to explain this is a web site I recently launched for a charity called East Renfrewshire Women’s Aid. This charity provides a range of services for women who are in, or have been in, an abusive relationship: physical, emotional, or sexual. These services include support groups, counselling, cognitive behavioral therapy, and most importantly, 24-hour emergency refuge for women whose lives are hanging by a thread. Like many women’s aid sites, the site includes information on covering your internet tracks and a “hide this site” button.

Web site for East Renfrewshire Women's Aid
Web site for East Renfrewshire Women’s Aid

The web site includes a text-only mobile version because the women who most desperately need this organisation’s help do not have a computer, nor are they allowed to go anywhere near one. If they have a mobile phone, it is confiscated every night and its call logs are furiously inspected. A woman may well be borrowing a friend’s mobile and hiding in a toilet stall in order to access the number of the emergency refuge. To help her out, the site has a mobile detection cookie which means that if she accesses the site on her mobile, she automatically sees the simple mobile version. There is no cookie consent process because the mobile detection cookie is absolutely essential. She does not have to do anything. If all she has is thirty seconds, she can get the information she needs.

Now here’s what the bureaucrats said was in this woman’s own interest: when she entered the link address on a mobile phone, I would have had to either stop the site from loading altogether or would have had to make the mobile load the entire full-size desktop web site. Then, I would have had to cover that up with a consent screen on her mobile informing her that a mobile detection cookie was in use and if she wanted to see the mobile site, she would have to consent to that cookie being used on her phone.

By then her thirty seconds would be up.

I can think of no more perverse irony than a bureaucracy telling a woman whose toilet breaks are supervised that it is in her own interest to consent to information being stored about her browsing preferences. If she needs to access women’s aid information on a mobile it is because every minute of her life, waking and sleeping, is spent in a living hell of information about her being collected, stored, and acted upon in the worst possible way. Withholding a phone number from her until she clicked a cookie consent button would be literally kicking a human being while she was already down.

Let’s use another example. This week I will be sitting down with the wonderful team at Bipolar Scotland to plan a revamp of the site I created for them four years ago. As in 2008, we will take great care to make sure that the revamp meets best practice standards for people with cognitive disabilities. Bipolar disorder may not strike you as a cognitive disability, but a person having a manic or low episode can experience some interference with their normal cognitive functions. They may have to read the same sentence over and over to comprehend it; they may have to enlarge their font size; they may have difficulty in choosing from options; and they may have trouble understanding long sentences with complex words. This temporary loss of function can be accompanied by the emotional states found at the high and low poles: fear, paranoia, and panic. There are things we can do as web designers to keep the web site clean, simple, and easily understood by someone in that heartbreaking state. It would be a disservice not to do so.

Now let’s say someone experiencing that high manic episode decided to google for help. They clicked on a web site link that looked like it just might have the help they needed. And at the top of the screen, a bright animated box descended with this message (click to view full size):

Click to view full size

Bipolar Scotland’s web site does not have that, of course; I would never allow it to happen. I have photoshopped that out of the actual cookie law compliance monstrosity which Kwik Fit Tyres uses on their site.

But let’s say that they did use that box – it is the law, after all – and that poor soul looking for help would be informed that the web site and the computer were storing information about him. He had to read a policy. He had to select from the range of options. He’d reload the web site to get rid of it, and the box would simply animate down again.

To put a compliance process like this into the web site would not only fail to help the person who needed it, but it could actually aggravate his condition in a medically verifiable way. Could he access the information resources on the site? He would never make it that far.

And while that poor soul was effectively dazzled away from being able to access the information he needed, a bureaucrat in a faraway office would spend twelve seconds skimming the site in a visual review looking only for a compliance strategy. There is a box! The site is compliant. The web site has met his needs!

I have spoken a lot about the need to balance cookie law compliance with accessibility requirements – “don’t break one law to meet another” – but the issues raised here go beyond accessibility tick-boxes. These are issues involving basic and fundamental access to a site and to the services described in it – rights which overzealous cookie law compliance can put at risk.

There are ways you can comply with this law that do not insert the needs of a bureaucracy over the needs of the site visitor. When the choice lies before you, choose to do the right thing. Choose to build a site for people who do not have the time or the ability to educate themselves about four tiers of privacy “options”. Choose to design for the woman crouched in the dark, not for the graphic designer on a retina screen. Choose to respect people through the craft of your web design itself, not through a legally worded policy in a popup box.

This stance should not be one-sided. The ICO and the EU must allow exceptions to cookie law compliance processes on sites where any interference with quick and efficient browsing can cost someone their dignity, their safety, or their life.

This is not about petty rebellion. This is about putting yourself into someone else’s shoes to do what is right by them, regardless of what the law “says” you have to do. They can learn about cookies later. First you have to make sure that you have played your part in getting them the hell out of that house.


  1. Im confused why do you need a cookie at all for serving up different content if a mobile device is used?

    Surely you can just check the user agent served by the device/browser?
    Perhaps use js to check screen size etc also?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s