Cookie consent: how many clicks should the ePrivacy Directive cost citizens?

admin Wednesday November 22, 2023

By now, everyone has consented to cookie usage hundreds of times. All technologists are aware this phenomenon was started by the Privacy and Electronic Communications Directive 2002/58/EC, also known as the ePrivacy Directive (ePD).

But why is it you had to consent thousands of times? Sure, the web is a chaotic network of way too many websites. I had about 5 cookie prompts just while I was researching this post. But just before that, why did I have to also consent to cookies when scheduling my fifth vaccine against SARS, using the same browser profile, and the same website? Can all websites be so bad?

It turns out the answer is mostly negative. The main reason is unfortunately legislative; according to 2 sources I found, the EU's maximum consent duration is just 1 year.

According to CookieYes's "How long does cookie consent last?":

You should renew cookie consent at least once a year (as per the ePrivacy Directive) or have periodic renewal as per the guidelines set out by your local data protection authority (DPA). For instance, the Irish DPC and the French CNIL recommends that consent should be re-obtained after no longer than six months. The GDPR does not specify a time limit for how long consent will last, therefore you should set a renewal period as per the guidelines of your respective DPA.

According to Proton Technologies AG's Cookies, the GDPR, and the ePrivacy Directive:

Persistent cookies — This category encompasses all cookies that remain on your hard drive until you erase them or your browser does, depending on the cookie’s expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.

Is that to say we are doomed to endless clicking? Not quite, since a software solution is apparently possible. The UK's 2012 Guidance on the rules on use of cookies and similar technologies already stated:

Both the Directive on which the Regulations are based, and the Regulations themselves, suggest browser settings may be one means of obtaining consent if they can be used in a way that allows the subscriber to indicate their agreement to cookies being set.

I just wish at least one browser will get there before more decades go by. How good would it be to go back to the good old times...