We're going backwards.
Dear fellow tech sector people, the internet is wrecked, and it's kinda our fault.
Now that's out of the way I want to share the story of how we got here; it's a story which shows how historically we've placed pretty much any business need over user experience, the downfalls of the copycat, cookie-cutter culture we live in and a healthy dose of misapplied governance. Back in the good old days (did I mention I'm 30 now) you could go to a webpage, click around a bit and then leave with relative ease.
This ability to browse the internet relatively unimpeded meant that the web was task oriented - and not to be too much of a pragmatist, but that was somewhat joyful to me. And yes - whilst they were enjoyably quirky - those Piczo and Bebo and Myspace profiles were also garish and awful, the same goes for MSN, AOL, Ask Jeeves and pretty much all tech in the early 2000s, we didn't know how to design or build anything properly and despite us not knowing it at the time, our inadequacies would later become apparent to us in savage clarity.
Web2 in its infancy was flawed, but it was at least flawed in a predictable, forgivable and era appropriate kind of way. The flaws that were there, ultimately created by the limitations of the technology and the inability of the creator or user to understand what needed to be achieved, instead of the maliciously concocted Rubix cube of contrived nonsense that we see on virtually every website we visit today.
A lot has changed in tech between then and now, and we're not going to cover it all, but there are some repeat offenders we can single out, and it's about time someone gave them a good kicking.
This time around, we're focusing on the most prolific of inconveniences.
Front and centre with supposedly no messing around, our main jester of the modern web experience is undeniably, 'Cookies'. You sir are a crook and a fool in gentlemen's clothing. Cookies are for the most part behavioural trackers, some of them aid user experience, even fewer are actually essential, but mostly they are there to benefit the owner of the website or the advertising agencies who buy and utilise the data, not the user.
The mind-numbing trend of poorly designed Cookie notices came and stuck around with a permanence that can only be likened to taxes, largely because it was introduced by a governing body who didn't have the foresight nor understanding of how to legislate data protection with the user's task orientation in mind. In May 2011, when the ICO uplifted Cookie Awareness to Cookie Consent (UK) (2017 via GDPR for EU users), the more established websites were quick to put up clear and simple consent based notices. Then, after a long and as yet unexplained pause, the rest of us awoke from our slumber and reluctantly climbed aboard the data compliance train which was steadily but relentlessly gaining steam.
There was a problem though, this required effort, time that we didn't have, energy that we didn't want to expend - and therefore our motives were impure, we were partaking merely to comply and not because we believed, and thus we did what we techs do best in times of hardship, copy pasta someone else's code 🤘🏼.
What followed was a series of 'cookie-cutter' cookie consent notices, most of which were and still are very poorly designed and difficult to use. Eventually, entire teams and finally SaaS businesses centred around this one annoyance - a cookie notice - would be created, so that we could continue to place literally every conceivable inconvenience in front of the users need to complete their task, but on a more predictably annoying basis.
Aren't we progressive.
As time passed, businesses started to notice how they could leverage this compliance requirement abomination to generate revenue, amongst other things - and without a second thought for the user and their actual experience, how they perceive the business and pretty much any other forms of consideration, the recipient of the cookie notice itself was cast aside. We opted to make it obscenely difficult for the user to disable all but essential Cookies because it was a seemingly prudent business decision, not because it served the user.
Before we knew it we were all contributing to a Crystal Maze nightmare of convoluted consent options, cascading endlessly through an infinity mirror of panels, accordions and toggles. This is hurting everyone on the internet and the perception of your business before the user even gets to your website. In this scenario, we should consider not the resource cost of doing something, but rather the perceptual and experiential cost of doing nothing at all.
From this lense, suddenly, dropping that 'industry standard, 5 Star TrustPilot rated, influencer sponsored' cookie notice SaaS product you're using doesn't seem so cavelear. And then you realise that instead of being part of the problem, you could opt for the more novel idea of giving deliberately clear options to the user - making them instantly recognisable, then defaulting to 'Essential Only' and moving on, after all you should know better.
The Data, Oh Lord the Data
How many times per month do you accept cookie notices?
3, 5, 10, 15, more?
This is preposterous.
In fact, it's plain unnecessary. If you're a conscientious, systems thinker like I am - and let's be honest if you're a technical person then you probably are - then maybe you've wondered why you can't set your cookie preferences in the browser, once, and then have these settings detected on every website.
Doesn't that feel like a utopian dream.
Whilst you can block Cookies natively in Chrome and other browsers, the fact that you can't do this natively and have it cascade into the interface is not by accident, nor is it by 'the entropy of development in a competitive market', or whatever other nonsense sound-bites you may have heard about this topic. It's entirely by design. Thanks to our old friend - cash cash money - we are trapped in a vacuum where user experience is enveloped by the desire to drive consumption and profits for the likes of advertiser driven media (gross) and big data (significantly more gross).
I promised myself I wouldn't get all existential, but here we are.
The obsession that big data has with profiling web users and the subsequent profits from advertising revenue is the main obstacle to resolving this problem and it's brought us technical people kicking and screaming into this void, where poorly implemented data compliance regulations meet profit driven business decisions, resulting in one of the greatest user experience faux pas of our generation and ultimately, we're left to solve a problem not entirely of our own creation but a problem which we perpetuate and therefore continue to endure.
Sally Is Annoyed
Imagine an average web user, let's call her 'Sally'.
Sally is being deliberately annoyed through bad user experience into giving her personal information and search history to website owners so that she can be served targeted advertisements. Sally has noticed how much easier it is to click 'Accept' than it is to 'Decline' Cookies on virtually any website she visits, and it's the 10th time today Sally has tried to disable the right Cookies on a different site.
Sally is tired, and I don't blame her. This is also by design, and it's our fault. We set it up like this did we not? So that people fall into the trap of just accepting behavioural tracking. Is that okay? Because the longer this goes on, the more it's starting to not feel okay and yet for every single website we ever visit we accept this terrible UX catastrophe as if it's acceptable, simply because it's commonplace.
Sally doesn't think this is normal, and neither do I.
Collectively, global internet users waste over 21 thousand years per month negotiating their way around Cookie notices 🤯.
That's 19.6 Billion seconds of human brain power and ingenuity wasted daily on performing the same irritating, repetitive cognitive task. How I got to these figures is arguably the most harrowing instance of 'napkin maths' ever undertaken. Your palpable concern is appreciated, so I'll share my workings so that you can be assured that this absolutely thankless task was also a worthwhile endeavour in order to understand the scale of the underlying problem.
Take a breather, things are about to get num3r1c4l.
The average expiry for cookies is 30-90 days, so we'll take 60 as our average. The average number of different websites visited per day per user is between 5 and 7 so we'll use 6 as our average; it is assumed that the majority of these are repeat visits across different days (i.e to Facebook, LinkedIn etc) so we'll reduce this to just 1 different, previously unvisited website each day outside of those frequented on a daily basis - a heavily conservative estimate.
This means that in any given month the average user visits 5 core websites and 31 different websites, totalling 36 in a given month. As the cookies on these won't reset for 60 days (2 months) we'll half that value to give us a monthly trimmed average, that's a conservative estimate of 18 different websites per user per month which would be subject to displaying a Cookie notice; this calculation accounts for the length of the average cookie expiry too and therefore would apply to any given month, not just the month at the start of an average cookie expiry cycle.
Now how many web users are there globally - latest figures suggest 5.07 Billion people use the internet each day as of October 2022, to account for less active users we'll slice this rather brutally in half to give us a trimmed average of 2.5 Billion. Now let's multiply that number of users by the number of sites visited per month per user (2.5B internet users x 18 different websites per month per user) = 45 Billion.
There are 45 Billion hits on websites each month that (should) get served with Cookie notices.
Now how long on average does it take a user to appropriately choose the right cookie settings? There wasn't any data available on this so I tested it myself on several different websites and averaged out the time it took to understand the options at the highest, most basic level and select what Cookies I wanted to reasonably accept.
On average this took me 13.5 seconds per site.
45 Billion x 13.5 seconds per Cookie notice = 607.5 Billion Seconds per month.
10.1 Billion Minutes per month.
187.5 Million Hours per month.
7.8 Million Days per month.
1.1 Million Weeks per month.
21,153 Years per month.
682 Years per day.
You get the picture. If we humans were to correctly choose our Cookie preferences on every website we visited, collectively in the current state of affairs we would be burning through 21 thousand years every month thanks to this problem. This is not only preposterous, it's absolute insanity.
Having spent quite some time thinking about this conundrum, I am of course acutely aware that this is not a problem that can be solved by oversimplifying the nuances of varying business needs and implications as well as the technical applications of Cookies themselves.
Not all non-essential Cookies are evil...
In fact many analytics tools are used for borderline altruistic reasons, whereby they either directly or indirectly benefit the user - Hotjar is one such example. The nuances of the various tools and reasons those tools are in use makes this the convoluted problem that it is, one person may use an analytics tool to improve their product (shameless self plug - shout out to Cloud Gateway), where another may be using it purely to calculate how to more accurately spam people with drivel articles about which vintage car is the best.
You need a business to have users.
The way I see this is that we are wasting a lot of time for not enough gain, there is very little to no value for the user in the current Cookie Consent system. Marketers and SEO friends I apologise for the annurism, but I just don't care about your ads. No one does, really.
However I do understand your value, the rest of us probably wouldn't have a job if you didn't exist. So you might say without Cookies and the tracking behaviours they enable, there would be no user to complain about the experience.
And alas, you would be right - probably.
That browser extension you've got, just won't cut it.
Much like AdBlock and other browser extensions, there are ways for websites to directly or indirectly work around automated 'plaster' solutions, the few that do exist didn't work as expected when tried and tested and gave me little confidence in terms of stability and reliability - a view shared by many in the reviews.
Oh, The Irony
The irony is lost even on those in a position to call out the problem. Wired UK seen here making themselves a victim of their own wiseness by using one of the many, cookie-cutter consent notices available in the market today.
What Are We To Do
After all that and much like myself, you're probably glad it's time to bring this to a close. The summation of this problem is that it originated from well intended yet poorly executed regulations which were supposed to protect users by providing better data privacy controls.
Due to our understandable yet flawed cut and paste world and patch and run attitudes we were left with a problem bigger than we could have ever anticipated, and delivered in poetic tragedy was the all too common kill shot - money.
Therefore we must reflect on what we can actually control to make our user's experience more simple and less annoying. I've curated a list of do's and don'ts for Cookie notices which assumes just two things:
1. your business doesn't run entirely on ad revenue generated from the use of the data collected through Cookies, if this is the case then it might be time to rethink your business model entirely, because I can't help you or your users - nobody can;
2. you are able to spare enough time in your busy development schedule to think enough about the user, that you spare them from a problem for which arguably, we tech people are partially to blame.
⇼ keep cookie notices small, discreet and visually clear;
⇼ provide simple one click options which take very little cognitive strain to process;
⇼ good practice for less complicated websites would be to show a single declarative option, (i.e 'Accept', 'Continue') and prevent the loading of any non-essential cookies until the user accepts;
⇼ good practice for more complicated websites would be to show options for 'all', 'essential and analytics only', 'essential only';
⇼ provide a clear response to the user that their selection was recorded accurately, such as hiding the notice automatically or showing a success message, and then make sure you abide by it.
⇼ interrupt the users ability to perform their desired task for any reason;
⇼ hide all other options other than 'Accept' in a labyrinth of z-index peril - this is explicitly against the GDPR and ICO rules surrounding Cookies, so you may as well not show a notice at all;
⇼ use obscenely small font sizes, illegible type faces or obtuse colour contrasts.