IP, Technology & Data

Last week I was invited to speak to members of the Scottish Usability Professionals Association (SUPA) about the new cookie law.

SUPA “brings together UK professionals based in Scotland from the design, technology and research communities who share a vision of creating compelling technology that meets users’ needs and abilities”, and the topic of my presentation was the interaction of the cookie law with disability discrimination laws and website usability.

One consequence of the cookie law is that a number of the consent mechanisms being adopted by organisations to deal with cookie consent have an adverse impact upon the accessibility of the website to users with disabilities, and the usability of the website to users as a whole. This not only makes the website harder for users to use, but might also put the organisation in breach of its obligations under the Equality Act.

Potential usability and accessibility issues
We had a great discussion. Here are a number of the usability and accessibility issues we identified:

  • The use of a pop-up upon arriving at a website can clearly impact on the user experience – users can’t get to the information that they want to access without first reading/dealing with the pop-up. Does that inhibit users from finding the information that they are looking for?
  • On the other hand, the use of implied consent and a link to a cookies policy at the foot of the page is also poor from a usability perspective. Users are unlikely to see it (particularly on a mobile device), and therefore it’s difficult to say that consent has been given.
  • Mobile devices such as smartphones and tablets raise particular issues. Pop-up boxes at the bottom of the page are difficult to read and may be overlooked. If the default setting of these mechanisms is opt-in, then it may be difficult to argue that consent can be implied.
  • Pop-ups or cookie control devices that use Javascript may not be compatible with screen readers or devices that do not use Javascript. This may cause problems for users of those devices.
  • Pop-ups are often set to disappear after a certain period of time (for example 10 seconds), which may not be sufficient time for the user to read and understand the message
  • Again, on pop-ups, some pop-ups have a link to a cookies policy, but the cookies policy page appears on screen *behind* the pop-up, making it impossible to read without accepting all the cookies!
  • Many websites offer an all or nothing approach to cookies – users either have to accept all cookies or none, limiting user choice and user control.
  • Websites that only offer an “I agree” option – users may click “agree” simply to get rid of the box, menu bar etc.
  • Granular, interactive, control panels (such as those used by BT and BBC) can help improve usability and user control, but are often set to accept all cookies (including targeted advertising cookies) by default, or lump together targeted advertising with social sharing tools.
  • There is no consistent approach across websites (even in the implementation of third party products, such as Cookie Control) meaning that each website is different.

What is the solution?
This last point is perhaps one of the most telling.

From a user experience perspective, a multitude of different systems and approaches is confusing, and does little to increase user understanding of cookies (one of the aims of the new law). In order to be effective, a common approach is needed. If not, and websites continue to deal with cookies in different ways, usability will suffer.

This can be achieved in two ways: by clear guidance from the regulator and, perhaps more importantly in the long term, the implementation of suitably sophisticated privacy dashboards in web browsers. Ultimately, the reason for website operators having to introduce adhoc consent mechanisms is a failure to have in place an appropriate browser based solution at the time the law came into force. If privacy features can be built into the UI can be done with the iOS developer platform, then there is no reason it can’t be done across browsers generally.

In both cases, this needs joint action from the various national privacy regulators in Europe.

In the case of the former, to agree consistent, more detailed guidance of what is expected, and in the case of the latter to work with browser manufacturers and the W3C to develop a common browser based solution. When the new cookie law was published last summer we were told that the latter was happening, but to date there has been little sign of progress.

The Do Not Track initiative may give the building blocks for doing that, if it can be widened to cover all cookies and adopt the principles of privacy by default. Things are moving in the right direction, but as recent coverage reports, Do Not Track isn’t yet the panacea that some people would like it to be.

What do you think?

Follow me

Martin Sloan

Partner at Brodies LLP
Martin is a partner in Brodies Technology, Information and Outsourcing group and has wide experience of advising clients on technology procurement and IT and business process outsourcing projects. Martin also advises on data protection (including the GDPR), and general technology and intellectual property law, and has a particular interest in the laws applying to social media and new technology such as mobile apps, contactless/mobile payments, and smart metering.
Follow me