(I’d love to see the regulations changed here: there’s no reason to single out storing data on the client for special treatment…)
I haven’t personally needed to pay super close attention to the e-Privacy regulations but I thought they exclusively focused on cookies as a specific technology? The web has client-side data storage that is not cookies, and cookies are more privacy invasive than simple client-side storage because they’re also automatically transmitted to the server on every matching request without any further interaction from either the user or the website.
It seems to me that it’s much easier to respect user privacy when using other mechanisms for client-side storage and for transmitting data from the client to the server. I’ve also generally found that the cookie-free approaches tend to result in more maintainable and debuggable code, without incurring additional overhead for many use cases. (An exception: document-centric use cases where the documents themselves are access controlled generally do benefit from cookies, and low-JS sites have more legitimate use for a non-JS mechanism for storing and transmitting authentication information; but both of those seem to be somewhat niche use cases relative to the current web as a whole.) Thus, I’m a bit annoyed that there hasn’t been more movement across the industry to migrate from cookies toward other more-targeted technological solutions for many use cases requiring data storage on the client — particularly for those use cases that would be legitimate banner-free uses of cookies according to e-Privacy.
I haven’t personally needed to pay super close attention to the e-Privacy regulations but I thought they exclusively focused on cookies as a specific technology?
For better or worse, the e-privacy directive is not specific to cookies: it covers any form of client side data storage. For example, “Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.”
(And thanks in particular for linking to the original text — while your excerpt is suggestive, the meaning of “similar device” isn’t entirely clear without seeing that the surrounding paragraph is focused on preserving privacy between multiple users who share a single web-browsing device. I feel like that is still a valid concern today and a reasonable reason for regulations to treat client-side storage slightly differently from server-side storage, even though it’s not most people‘s top privacy concern on the web these days and even though this directive doesn’t resolve that concern very effectively at all.)
To the extent that the goal is to give privacy between multiple users, a way to explicitly say “this browser is just for me” and then not see cookie banners would be pretty great.
Once you’re willing to mandate browser features to bolster privacy between multiple users on the same device, I’d get rid of website-implemented cookie banners altogether (at least for this purpose) and make the browser mandate more robust instead. I could see this as a browser preference with three mandated states (and perhaps an option for browsers to introduce additional options alongside these if they identify that a different tradeoff is worthwhile for many of their users):
Single user mode: this browser (or browser profile) is only used by one user, accept local storage without warning under the same legal regime as remote storage of user data.
Shared device mode: this browser (or browser profile) is shared among a constrained set of users, e.g. a role-oriented computer in an organization or a computer shared among members of a household. Apply incognito-inspired policies to ensure that local storage cannot outlive a particular usage session except for allowlisted domains, and require the browser to provide a persistent visual indication of whether the current site is on the allowlist (similar to how browsers provide a persistent indication of SSL status).
Public device mode: this browser (or browser profile) is broadly available for use by many people who do not necessarily trust each other at all, e.g. a machine in a school’s computer lab or in a public library. Apply the same incognito-inspired policies as in shared device mode, but without the ability to allowlist specific sites that can store persistent cookies. The browser must also offer the ability for the computer administrator to securely lock a browser in this mode to prevent untrusted users from changing the local-storage settings.
I don’t think you need to mandate browser features: a big reason we don’t have this sort of thing today is that even if the browser offered this setting it wouldn’t be enough to satisfy the regulation. The regulation could say something vaguely like “web browsers may offer their users a choice between three profiles [insert your description] and communicate to websites which setting the user has chosen. If a website receives this information, it may save information to the client device etc”
In theory, yes. Do you have particular knowledge that things would likely play out as such if the regulations permitted, or are you reasoning that this is likely without special knowledge? If the former, then I’d want to update my views accordingly. But if it’s the latter, then I don’t really see a likely path for your regulatory proposal to meaningfully shift the market in any way other than market competition forcing all major browsers to implement the feature, in which case it doesn’t practically matter whether the implementation requirement has legal weight.
in any way other than market competition forcing all major browsers to implement the feature, in which case it doesn’t practically matter whether the implementation requirement has legal weight.
I think it does matter? It’s not clear that browsers can be required to do this, and even if it were legal to require them to it’s not a good precedent. On the other hand, browsers working together with regulators and site owners to make a new technical standard (to communicate shared browser status) + rules (so it’s legal to use the technical standard to not prompt about cookies) so users can have a better experience would be clearly legal and a great precedent.
(I have maybe a bit of special knowledge, in that I worked with a browser team and regulatory lawyers 2020-2022 but I’m not claiming to be an expert on how regulations and browsers change!)
Fair enough, although I put a little less weight on the undesirable precedent because I think that precedent is already largely being set today. (Once we have precedents for regulating specific functionality of both operating systems and individual websites, I feel like it’s only technically correct to say that the case for similar regulation in browsers is unresolved.)
Also, the current legal standard just says that websites must give users a choice about the cookies; it doesn’t seem to say what the mechanism for that choice must be. The interpretation that the choice must be expressed via the website’s interface and cannot be facilitated by browser features is an interpretation, and I’d argue against that interpretation of the directive. I don’t see why browsers couldn’t create a ‘Do-Not-Track’-style preference protocol today for conveying a user’s request for necessary cookies vs all cookies vs an explicit prompt for selecting between types of optional cookies, nor any reason why sites couldn’t rely on that hypothetical protocol to avoid showing cookie preference prompts to many of their users (as long as the protocol specified that the browsers must require an explicit user choice before specifying any of the options that can skip cookie prompts; defaulting users to “necessary cookies only” or the all-cookies-without-prompts setting would break the requirement for user choice).
But we don’t see initiatives like that, presumably in large part because browsers don’t expect to see much adoption if they implement such a feature, especially since it’s the type of feature that requires widespread adoption from all parties (browser makers, site owners, and users) before it creates much value. Instead, lots of sites show cookie banners to you and I while we browse the web from American soil using American IP addresses, seemingly because targeting different users with different website experiences is just too sophisticated for many businesses. They evidently see this as a compliance requirement to be met at minimal cost rather than prioritizing the user experience. I don’t see how the current dynamic changes as long as websites still see this purely as a compliance cost to be minimized and as long as each website still needs to maintain their own consent implementations?
I haven’t personally needed to pay super close attention to the e-Privacy regulations but I thought they exclusively focused on cookies as a specific technology? The web has client-side data storage that is not cookies, and cookies are more privacy invasive than simple client-side storage because they’re also automatically transmitted to the server on every matching request without any further interaction from either the user or the website.
It seems to me that it’s much easier to respect user privacy when using other mechanisms for client-side storage and for transmitting data from the client to the server. I’ve also generally found that the cookie-free approaches tend to result in more maintainable and debuggable code, without incurring additional overhead for many use cases. (An exception: document-centric use cases where the documents themselves are access controlled generally do benefit from cookies, and low-JS sites have more legitimate use for a non-JS mechanism for storing and transmitting authentication information; but both of those seem to be somewhat niche use cases relative to the current web as a whole.) Thus, I’m a bit annoyed that there hasn’t been more movement across the industry to migrate from cookies toward other more-targeted technological solutions for many use cases requiring data storage on the client — particularly for those use cases that would be legitimate banner-free uses of cookies according to e-Privacy.
For better or worse, the e-privacy directive is not specific to cookies: it covers any form of client side data storage. For example, “Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.”
Good to know, thanks!
(And thanks in particular for linking to the original text — while your excerpt is suggestive, the meaning of “similar device” isn’t entirely clear without seeing that the surrounding paragraph is focused on preserving privacy between multiple users who share a single web-browsing device. I feel like that is still a valid concern today and a reasonable reason for regulations to treat client-side storage slightly differently from server-side storage, even though it’s not most people‘s top privacy concern on the web these days and even though this directive doesn’t resolve that concern very effectively at all.)
To the extent that the goal is to give privacy between multiple users, a way to explicitly say “this browser is just for me” and then not see cookie banners would be pretty great.
Once you’re willing to mandate browser features to bolster privacy between multiple users on the same device, I’d get rid of website-implemented cookie banners altogether (at least for this purpose) and make the browser mandate more robust instead. I could see this as a browser preference with three mandated states (and perhaps an option for browsers to introduce additional options alongside these if they identify that a different tradeoff is worthwhile for many of their users):
Single user mode: this browser (or browser profile) is only used by one user, accept local storage without warning under the same legal regime as remote storage of user data.
Shared device mode: this browser (or browser profile) is shared among a constrained set of users, e.g. a role-oriented computer in an organization or a computer shared among members of a household. Apply incognito-inspired policies to ensure that local storage cannot outlive a particular usage session except for allowlisted domains, and require the browser to provide a persistent visual indication of whether the current site is on the allowlist (similar to how browsers provide a persistent indication of SSL status).
Public device mode: this browser (or browser profile) is broadly available for use by many people who do not necessarily trust each other at all, e.g. a machine in a school’s computer lab or in a public library. Apply the same incognito-inspired policies as in shared device mode, but without the ability to allowlist specific sites that can store persistent cookies. The browser must also offer the ability for the computer administrator to securely lock a browser in this mode to prevent untrusted users from changing the local-storage settings.
I don’t think you need to mandate browser features: a big reason we don’t have this sort of thing today is that even if the browser offered this setting it wouldn’t be enough to satisfy the regulation. The regulation could say something vaguely like “web browsers may offer their users a choice between three profiles [insert your description] and communicate to websites which setting the user has chosen. If a website receives this information, it may save information to the client device etc”
In theory, yes. Do you have particular knowledge that things would likely play out as such if the regulations permitted, or are you reasoning that this is likely without special knowledge? If the former, then I’d want to update my views accordingly. But if it’s the latter, then I don’t really see a likely path for your regulatory proposal to meaningfully shift the market in any way other than market competition forcing all major browsers to implement the feature, in which case it doesn’t practically matter whether the implementation requirement has legal weight.
I think it does matter? It’s not clear that browsers can be required to do this, and even if it were legal to require them to it’s not a good precedent. On the other hand, browsers working together with regulators and site owners to make a new technical standard (to communicate shared browser status) + rules (so it’s legal to use the technical standard to not prompt about cookies) so users can have a better experience would be clearly legal and a great precedent.
(I have maybe a bit of special knowledge, in that I worked with a browser team and regulatory lawyers 2020-2022 but I’m not claiming to be an expert on how regulations and browsers change!)
Fair enough, although I put a little less weight on the undesirable precedent because I think that precedent is already largely being set today. (Once we have precedents for regulating specific functionality of both operating systems and individual websites, I feel like it’s only technically correct to say that the case for similar regulation in browsers is unresolved.)
Also, the current legal standard just says that websites must give users a choice about the cookies; it doesn’t seem to say what the mechanism for that choice must be. The interpretation that the choice must be expressed via the website’s interface and cannot be facilitated by browser features is an interpretation, and I’d argue against that interpretation of the directive. I don’t see why browsers couldn’t create a ‘Do-Not-Track’-style preference protocol today for conveying a user’s request for necessary cookies vs all cookies vs an explicit prompt for selecting between types of optional cookies, nor any reason why sites couldn’t rely on that hypothetical protocol to avoid showing cookie preference prompts to many of their users (as long as the protocol specified that the browsers must require an explicit user choice before specifying any of the options that can skip cookie prompts; defaulting users to “necessary cookies only” or the all-cookies-without-prompts setting would break the requirement for user choice).
But we don’t see initiatives like that, presumably in large part because browsers don’t expect to see much adoption if they implement such a feature, especially since it’s the type of feature that requires widespread adoption from all parties (browser makers, site owners, and users) before it creates much value. Instead, lots of sites show cookie banners to you and I while we browse the web from American soil using American IP addresses, seemingly because targeting different users with different website experiences is just too sophisticated for many businesses. They evidently see this as a compliance requirement to be met at minimal cost rather than prioritizing the user experience. I don’t see how the current dynamic changes as long as websites still see this purely as a compliance cost to be minimized and as long as each website still needs to maintain their own consent implementations?