Between working remotely, spending more time at home this year, and businesses across many industries shifting entirely to digital, we’re online more now than ever. This means we’re also seeing more “accept cookies” banners—a bug on the Internet’s windshield and an eyesore we hurriedly click “yes” to so we can see what we actually came to a site to check out.
At best, the banners are a nuisance, and at worst they undermine their original purpose: to protect user privacy. As the CEO of a company that deploys what I hope is the least intrusive form of these dreaded banners, I can say there has to be a better solution, and one that is more focused on the end user’s best interest.
This was not always the norm. Amid the flurry of new privacy laws over the past few years like the General Data Protection Regulation (GDPR), companies resorted to accept cookies banners as a means of compliance. But are they actually working? A recent study shows they may actually undermine EU privacy laws. The EU even released new guidelines this spring saying that companies cannot require users to accept cookies to access their website—because consent is only valid if it’s freely given, not in the form of a cookie wall that demands it.
Businesses are also manipulating users with design and copy choices that persuade them to click accept. Research shows that seemingly small cookie implementation decisions—from the placement on the screen to use of “dark pattern” techniques like user interface design that steers website visitors toward a particular choice—can impact how people interact with consent notices.
The bottom line: Cookie banners create a false perception of privacy at the user’s expense.
So what’s next?
I’m an advocate for federal privacy legislation that protects consumer privacy and empowers businesses to use data appropriately, but we don’t need a specific law to account for the accept cookies trend. As an industry, we need to approach consent with user experience and innovation in mind—not compliance.
Some initial ideas that would improve user experience without sacrificing privacy:
- Streamline the cookie consent process by elevating it to the browser level. That would mean users could opt in to accept or reject all cookies, eliminating the need for individual websites to notify visitors.
- Modify consent requirements based on the relationship between user and website. A new user registering for an account, for example, would require more data disclosure than one who visits a website once.
- Let users track what they’ve consented to by making a record of it with consent receipts. These receipts would give each user and website a record of what the user has already agreed to, limiting the need for ongoing and ultimately meaningless accept cookies pop-ups.
Taking things a step further, it’s possible to envision a world where users could tailor their data collection preferences by industry, organization type, and data type. For example, I could adjust my setting so cookies are automatically accepted for news sites but rejected for e-commerce sites, or I could consent to my location data being collected but not allow organizations to track my search history. This would empower individuals to make thoughtful and informed decisions about their data privacy, versus the rushed and apathetic experience that accept cookies banners create.
At a time when we’re more reliant than ever on the digital world, we can raise the bar for users while still giving them choice around sharing their digital identities. We should use this moment to surface alternatives with privacy—not compliance—at the forefront.
Todd McKinnon is CEO of Okta.
