The Cookie Debate: To Serve or Not to Serve?

Recently, there’s been a lot of debate in the U.S. press and other places over cookie issues. This time it’s not about the number of people who block or delete them (a bad thing, apparently) but about the number of government and federal sites that allegedly serve them (also a bad thing, apparently). The fact that some U.S. government sites serve cookies has led to headlines such as “Government Web sites are keeping an eye on you.” It would seem the only thing worse than people deleting or blocking cookies is people serving them in the first place.

I must confess that I haven’t read all 87 posts so far on Eric Peterson’s Web Analytics Forum on the subject or the various articles doing the rounds, but feelings run strongly on all sides of this argument. I won’t run the risk of adding fuel to the fire, but it does strike me that we aren’t having the same sorts of cookie-related debates here in the U.K. Why is that? Are we better informed on the issue or less informed? Should we be more worried about cookies than we seem to be?

In Europe, we went through some angst on this issue a few years ago. The European Parliament passed a directive in 2002 on privacy and electronic communications. Leading up to this directive, there had been a concern in the industry that cookies would effectively be made illegal as a breach of personal privacy. In the end, the European Parliament concluded it wasn’t cookies or Web bugs that infringed privacy but the inappropriate use of these devices. The following passage from the directive is particularly relevant to the current U.S. debate:

So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

However, such devices, for instance so-called “cookies”, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information.

Essentially, this text recognizes that cookies can be a good thing, provided they are used legitimately and people are told what’s going on. Europe’s position now is you are entitled to use cookies provided you tell people in your privacy policy that you serve cookies, how you use the data, and how people can refuse to accept or how they can delete your site cookies.

I’m not an expert on this issue, but it does seem to me that having a legal framework to work against helps with the issue to some extent. It doesn’t always take the emotion out of the subject, nor does it prevent individuals forming a judgement about cookies for themselves and making their own views known. But that’s society for you.

What I like about the current European position is rather than taking an explicit or implicit “all cookies are bad” stance, it recognizes society can potentially benefit from the appropriate use of cookies. By understanding how people behave on Web sites, we can create a better visitor experience without necessarily infringing upon personal liberty. After all, observing shopper behavior is nothing new. Our supermarkets and stores are laid out based on years of observing shopper behavior and analyzing shopper-derived data. However, it’s clear the ability to harvest (even anonymous) data should not be taken for granted, and, even in the absence of legal frameworks, transparency is a sound policy.

Related reading