Skip to main content

The EU is trying to fix its abysmal cookie consent policy

The EU is trying to fix its abysmal cookie consent policy


The pain of cookie consent mechanisms is an international problem

Share this story

A circle of 12 gold stars representing the European Union.
Illustration by Alex Castro / The Verge

For many internet users, the EU’s cookie consent policies are an aggravating and unavoidable experience when browsing the web. Introduced in 2018 as part of the General Data Protection Regulation (GDPR), these notices ask users to agree to being tracked when visiting a site for the first time, but are often misleadingly worded or impossible to refuse. In an effort to make cookie consent more consensual, the EU has published updated guidelines this week banning some of the worst interpretations of these policies.

The biggest change is an end to “cookie walls” which make viewing content contingent on consenting to be tracked. The whole point of the cookie consent policy is to give people a free choice in whether or not their data is collected for things like targeted advertising. But, as the EU notes, if a website “puts into place a script that will block content from being visible except for a request to accept cookies” this “does not constitute valid consent” as the user is “not presented with a genuine choice.” So: no more cookie walls.

An example of a cookie consent policy with no obvious way to opt out of tracking.
An example of a cookie consent policy with no obvious way to opt out of tracking.
Screenshot: The Verge

Another big change stops sites from interpreting even the most basic interaction as consent. Some website providers, for example, interpret simply scrolling or swiping on the page as agreeing to their tracking policies. The EU notes the ridiculousness of this position by suggesting that if scrolling can constitute consent it can also be used to withdraw consent. And since sites have no way of distinguishing between these two intentions, using scrolling or swiping as a proxy for consent is meaningless.

Cookie consent mechanisms are well-intentioned but thoughtlessly implemented

These guidelines show the EU is aware of the problems with its cookie consent policy, but for people affected by these mechanisms (which includes many individuals living outside of Europe, as sites often adopt GDPR regulations internationally to save time or out of an abundance of caution) it would be wrong to expect a quick fix.

For a start, these are only guidelines intended to shape national policy. The EU passes laws, but it’s up to member states to enforce them. And research has shown that sites consistently flout current cookie consent laws and that enforcement is minimal at best.

In addition, there are many more ways than just cookie walls to confuse and trick visitors to clicking “agree.” A whole range of so-called dark patterns — confusingly designed user interface choices — can mislead and coerce users. These range from pre-ticked boxes and labyrinthine menus to simply never explaining what tracking cookies are being placed on somebody’s computer in the first place. One recent study found that only 11 percent of cookie consent mechanisms “meet the minimal requirements [of] European law.”

With these problems, it’s going to be a while until cookie consent mechanisms are fixed, if they ever are. Perhaps you had to negotiate one to even read this story, in which case, we apologize. But let’s hope tearing down the cookie walls is a first step in a better direction.