Blog Post

Why the Cookie Monster Won’t Kill European Startups

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Cookie MonsterEurope’s technology scene is awash with fear and loathing today, after entrepreneurs finally realized new rules regulating online privacy could affect their businesses. In particular, they’ve suddenly cottoned-on to the fact that a pan-European directive about the use of cookies, which is due to come into force on May 25, could have an impact on them.

The story is getting a lot of press and attention right now — most of it very negative indeed. The BBC says the rules are “set to make cookies crumble”, while TechCrunch Europe says it will “kill our startups stone dead”.

So what are they so worried about? Let’s walk through the issues.

The new directive (an amendment to a similar, earlier one) is, essentially, an attempt to make users aware of the personal data that they hand over to web-based businesses. It’s asking anyone who collects significant private data to tell users and give them the ability to opt out. As the the document itself states, it is of “paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible.”

It’s probably also worth pointing out what the amendment isn’t:

It’s not a law. The EU is saying member states should enact their own legislation in this area to harmonize with each other, but each country gets to apply it in its own way. Britain’s government will have no impact on the French; the Spanish solution may be very different from the Italian, and so forth.

It doesn’t make opt-in compulsory yet. Because of the system, directives take a long time to become enforceable laws. So while the directive might come into force on May 25, it’s not going to be resulting in court cases for years.

It doesn’t ban cookies. It just asks that those sites which use cookies to track user behavior off site — usually to serve targeted ads — tell users that they’re doing so. Login cookies and shopping carts would be exempt.

It’s not aimed at making businesses less competitive. It’s aimed at making them more transparent.

On the surface, perhaps there’s nothing to complain about. After all, most reputable companies already do this as a matter of course, and let’s not forget any foreign company that wants to operate in Europe — Google, Facebook, eBay and others — will also have to abide by these rules.

There are, however, plenty of good reasons for European entrepreneurs to be skeptical about where all this may be headed. Attitudes toward most things, including privacy, vary wildly from one side of Europe to the other and the big fear is that the whole of the EU could end up being forced to adopt the strongest laws by proxy. That would probably mean German laws, which are fiercely protective — to the point that some lawyers there suggest Google Analytics could be considered illegal.

It may simply be a coincidence that the German Internet industry is underwhelming for a country of its size, but it’s enough to strike fear into the hearts of entrepreneurs in Sweden or Estonia or the U.K. Do they all want to be forced to adopt rules that would damage their own vibrant startup economies?

That’s the real reason we’re hearing this noise: it’s an attempt to pressure national governments to adopt the directive in a way which doesn’t go down the German path. Yet in most cases, those lobbying against it are already pushing against an open door. For example, Britain’s privacy watchdog — which is helping draft the U.K. version of the law — says “we are clear that these changes must not have a detrimental impact on consumers nor cause an unnecessary burden on U.K. businesses.” What clearer signal can you get?

I suspect that, once the fuss has died down, this story will actually be more illuminating as a parable about the attitude of many European entrepreneurs towards their governments. On one hand, they are happy to take handouts and benefit from political support, while on the other, they start throwing a tantrum whenever legislation doesn’t bend to their demands.

The EU directive isn’t a perfectly-formulated piece of work by any stretch of the imagination, but if the continent’s entrepreneurs really want to be competitive with the rest of the world they’ll have to pick their battles carefully and avoid being overwhelmed by hysteria.

Related content from GigaOM Pro (subscription req’d):

9 Responses to “Why the Cookie Monster Won’t Kill European Startups”

  1. Where you say “throwing a tantrum whenever legislation doesn’t bend to their demands.” – I completely disagree with this statement. and it would seem that you have also missed one of the most vital facts in this whole debate.

    Firstly, people (users, website visitors, etc) already have the ability to “opt out” by setting their internet browsers to not allow cookies, or prompt them first.

    Secondly addressing your rather sweeping statement about “throwing a tantrum”, business owners are worried that the legislation that comes in will potentially ruin their business, which is a justifiable point of view. For example in order to get “express consent” which is what is required it is possible that some sort of pop-up window will have to be put in place asking for the consent. For businesses that use Google Analytics to track visitors this will become a thing of the past… this will have a massive impact on SEO and conversion optimisation let alone PPC which requires it to work.

    Another salient point which your article failed to spot is that there are alternatives to cookies already in place, which can be used just as maliciously and the whole idea of restricting cookie use to times when you have acquired express permission is made redundant by existing technologies that will circumvent this directive.

    While we are on the subject of salient point that you missed, the guy responsible for this directive is a qualified historian, with experience as a politician… Having no understanding of technology, internet protocols, or the importance of specific technologies.

    One of the main gripes with cookies is related to behavioural advertising… Again this is just ignorance, do people believe that there will be less advertising as a result? Well there won’t, it just won’t be relevant to the user.

  2. Surely the engine that powers the entrepreneurial machine finds it’s most potent fuel hidden within circumstances such as this? To fear or protest change like this is to run from the very heart of where opportunities are born.

    These changes are exciting, they are empowering and they bring with them a vast amount of new potential for users, publishers, advertisers and entrepreneurs.

  3. John Smith

    So it may be worth putting this all in perspective.

    This single page as I read it on 16:25 9/3/2011 had 39 cookies set and 48 cookies replayed from 15 distinct domains. A strict reading of the Directive as amended, which appears favored by head of European Data Protection Peter Hustinx, would therefore be seeking 87 “consents” just to read this page. Note it isn’t just setting cookies that requires consent but also the “gaining of access” to cookies (cookie replays) that equally require consent.

    Even discounting a strict reading and moving instead back to just the previous version of the Directive, sites would need to give “clear and precise” information about who is collecting this data, the uses to which data is being put and the opportunity to reject those uses.

    The article correctly points out that national transpositions of the Directive may vary and some may indeed be more friendly to entrepreneurs, but I think the point is really that it would be challenging for even entrepreneurs to write the national transposition in a way in which compliance is possible (and last I checked they don’t let businesses draft the laws that govern them).

    Read the directive and then turn on a packet sniffer and the problem becomes more clear.

  4. There’s an error in the HTML in this article, shortly after the phrase “which is helping draft the UK version of the law”. Looks like an unclosed link which is hiding a chunk of the text.

  5. The hysteria might help to solve the problem. We need more noise and awareness that the flood of upcoming realtime analytics and sales activities of personal data needs to be controlled in some way.

    As usual when an industry gets out of bound and hurts consumers the government has to act. Compare it to our traffic laws on the roads and in the air.

    Why does the industry not see the dangers of selling realtime personal data? We will have misuse, fraud and criminal actions soon if nobody controls this monster!

    I am not against advertising. Yes we need it, and ads do not much harm to a user. And they can use the option to block it. The danger is that personal data gets somewhere else too. Who knows who receives it and what they do with it!

    If our industry does not find a solution, then the best solution for the user is not getting bothered with cookies and analytic at all. Enforced by law.

    • Bobbie Johnson

      You think the hysteria that’s coming from either direction is helpful in making that happen, Otmar? I always think it’s a shame when answers come about because two sides take completely opposite positions. It just means that, for the subsequent big issues, the starting arguments get more and more extreme.

      • You are right Bobbie. It gets more and more extreme. But this is what we need. How else can a everyday user learn what happens with his personal data?

        The discussion has not even started yet.