When bureaucracy hits the web: the cookie law


For a few years now, every first of April I hoped to read between the news something on the lines of "the cookie law was a joke, sorry for that". You know, bureaucracy is slow, and it's reasonable to think that it takes time for them to reveal jokes. Yet, many firsts of April have passed, and no such announcement has been made. Many missed opportunities for Europe to show their love for progress and their competence with the web.

Being compliant with the EU cookie law is hard to do. It's not just a matter of showing a boring banner, it's a matter of defacing your web pages, writing long privacy policies that nobody will read, implementing ways to prevent certain cookies from being set.

The truth is: if you, as a webmaster, want to avoid wasting time and avoid headaches, you just have to avoid cookies. This is what I have done with most websites I maintain: I have removed all analytics, all social sharing buttons, all YouTube videos, all comments. This was a sad thing to do, but it was the only thing I could do: I maintain websites for free mainly as a favor for friends and no-profits I'm involved with — it's not my day job. Also, I do not want other people being sued because of mistakes from my side: cookies may be set in the most unexpected situations and disabling every feature that could potentially set them seems the safest choice.

The only exception is this blog. Here, I use cookies for Google Analytics, for social sharing buttons and for Disqus. I may live without Google Analytics (even though it gives useful insights, such as performance statistics and tips), but I can't really remove social buttons and Disqus: this is a blog and it wouldn't make any sense to remove social features and comments.

Being compliant with the EU cookie law has been on my todo list for a while, and I never found the time (nor the desire) to look into it. Today I did. I spent a few hours of my time to discover that Google Analytics is "OK" (in the sense that I do not have to display an ugly banner, nor have to ask for explicit permission from the user before setting the cookies) and to discover that social buttons and Disqus are "bad" (in the sense that I have to display a banner and ask for explicit consent from the user before setting the cookies). In the end, the only service that I could remove is the less problematic service.

As I said, I really do not want to remove social buttons, Disqus or whatever third-party content I'll want to display in the future. Therefore, in order to comply with the cookie law, I'm forced to write code, write a privacy policy, waste another bunch of hours of my time. But not today, as I've already had enough sense of sadness and impotence.

At least for now, I guess that the EU cookie law compliance will stay on my todo list for some more time. Probably if I worked on compliance instead of writing this rant, I could have already finished (but then what's the point of having a blog if you don't blog?)

The cookie law wants to be "on the side of the users," and it is based on noble principles: it wants users to be well-informed about how their data is used and by whom. However, as it is today, it's against both users and webmasters. Webmasters have to lose their time working on compliance, and users receive a degraded experience due to silly regulations.

I'd like to do what Silktide did: actively protesting against the law, but I wouldn't be so happy if I were sued. I'd like to read "the cookie law was a joke" in the news, but I'm starting to believe that it's not going to happen any time soon. It seems that accepting the sadness of the reality is the only option I'm left with.

End of rant, let's move on.