Why the cookie pop-ups must crumble

The European Union is often criticised for failing to deliver, but in one area at least, it has delivered in abundance. Since 2018, by my estimates, over five trillion cookie pop-up notices have been served up to website users. Few regulations are as in your face or reach as far beyond the EU’s own borders as the General Data Protection Regulation, or GDPR.

It is almost impossible to escape the futile nagging of the pop-up. It’s like a driver being asked to fill out a questionnaire every time he or she stops at a junction. The driver must get out of the car, fill out one form for turning left or another form for turning right. Click okay to continue? Should you change your browser or device, you will be asked all over again. Some sites just ignore the law, and only allow one answer. Many more will present you with an incomprehensible form that makes HMRC’s tax-return process look simple.

Yet whenever anyone suggests getting rid of the cookie pop-ups, this is met with a chorus of disapproval from the digital cognoscenti. The cookie pop-up may seem like a strange hill to die on for our technology-policy elites. But for them, the pop-up has become totemic, and almost sacred.

This is quite deliberate. When the EU’s Privacy Directive was being revised over a decade ago (forming what is now the GDPR), privacy activists such as the UK’s Open Rights Group demanded that consent for data processing must be obtained on a site-by-site basis. Anything else was a sell out, they insisted. We must not be allowed to delegate this authority, for instance, to a browser setting or to a third party, they said. And that means we must bat away the pop-up manually each time. The EU, ever mindful of its democratic deficit, tends to bend over backwards to please such ersatz ‘civil society’ groupuscules like the ORG, and so it yielded. It is only in the past couple of years that privacy activists have twigged what a PR catastrophe the cookie pop-up has become. Indeed, the UK government’s promise to review the pop-up, now that we have left the EU, is one of the few popular announcements it has made.

The Privacy Directive and its successor, the GDPR, have been good news for some, however. One winner is the compliance industry. Companies, which had already expanded their human-resources teams to cope with additional health and diversity requirements, have also had to add privacy compliance officers. Before the directive came in, PwC estimated that the average cost of compliance for the GDPR alone would be €1.3million per firm. Happy days are here for burgeoning law departments in academia, too. And thanks to the GDPR, the UK data-processing quango, the Information Commissioner’s Office (ICO), now demands a fee from every company or sole trader that it deems to be processing personal data – a nice little earner ranging from £40 to £2,900 a pop. Lawyers are perhaps the happiest of all, with plenty of demand from companies fearful that the smallest slip might cost them a hefty fine. While lawyers (and some academics) may profess to hate complex and ambiguous legislation, in reality nothing generates demand for their services quite so effectively. And here the EU has served them well.

If the goal of the GDPR was to clip the wings of ‘Big Tech’, it has had no effect at all. Not only has Big Tech been left ‘unscathed’, but the tech giants have also used the regulation to their advantage. Large technology companies have since taken market share from their smaller competitors, and the main burdens of the GDPR have fallen on smaller companies, the academics Carl Frey and Giorgio Presidente conclude in a recent study. It’s a familiar story – big business loves regulation because it disproportionately ties down smaller competitors.

Beyond the economic costs of data-protection laws, the actions of the privacy blob are taking a personal toll on us, too. Activists and academics are seeking to create a permanent sense of neurosis over our data and privacy. Constant self-monitoring of data processing reinforces the state of paranoia that so many privacy activists themselves seem to exist in. The privacy blob inhabits a strange world where very different issues are conflated. To the privacy activist, the kind of mass surveillance revealed by Edward Snowden and the personal consumer data collected by your Nectar Card are one and the same. This finds expression in the absurdly overheated rhetoric of Shoshana Zuboff’s business bestseller, Surveillance Capitalism, which equates the collection of consumer data with the totalitarianism of a brutal police state – a comparison I suspect the ordinary consumer finds ridiculous and insulting. But it’s all ‘surveillance’, if you are sufficiently paranoid.

In this sense, the cookie pop-up is similar to doing the recycling: it is a complete waste of your time, but it serves a deeper political purpose. The radical environmentalist believes that humans are irredeemably sinful, and we must be made aware of our resource consumption and carbon-dioxide emissions, no matter how trivial our activity. Recycling reminds us of our sin. Similarly, the privacy activists insist we must be made to be acutely conscious of personal data flows at any given time.

But all of this is rather wearing on the human spirit. For example, as one Reddit user in the Privacy subreddit admitted, after undertaking many of the practices that technical experts and privacy NGOs recommend: ‘I feel like privacy takes too much of my time and effort… Privacy is expensive, if not in money, in time and brain cycles… I’m starting to think none of this is worthy [sic], I’ll end up just using ad blocker and Duckduckgo. I’m getting tired.’

Rather like Extinction Rebellion, the nihilistic wing of the environmental movement, the privacy activists have literally worried themselves sick. For them, the data-processing crisis is permanent and debilitating — and their politics entirely depends on it being so.

Meanwhile, the rest of us are deemed incapable of creating institutions or structures that keep our data safe without their input. In fact, the new privacy elites don’t really believe that our data isn’t really ‘ours’ at all. They insist that we must not be allowed to trade it, as a personal property right. And so the privacy ‘experts’ typically oppose initiatives which might usher in a more adult relationship with data processors.

‘It would be more logical to start with the idea that people “own” their data and have the right to tell others, who get hold of it, what they can and can’t do’, barrister Barney Reynolds told me last year, as he anticipated the UK’s ability to shed itself of strangulating rights-centric EU privacy regulations. Naturally, the academics and activists hate that idea. They’re also wary of the ‘Solid’ concept, devised by Sir Tim Berners-Lee, which accepts and builds on personal-data ownership, with the individual in charge, but in a way such that we don’t have to micromanage every transaction. The likes of Shearman and Berners-Lee face an uphill battle.
By weaponising paranoia, a new nerd elite has manoeuvred itself to the centre of the technology conversation, and won’t let go of its influence easily.

Andrew Orlowski is a weekly columnist at the Daily Telegraph. Follow him on Twitter: @AndrewOrlowski.