Why popups are back in the modern web

Living in the suburbs of London, I find myself commuting into London town on occasion. As many commuters before me have done and as many more will do, I read articles on my phone. Something has changed recently though, you may remember the torrent of emails that flooded your inbox, the month when companies realized they had to conform to the General Data Protection Regulation (GDPR) and inform you what your digital rights were, what personal information they would be using and why. Almost every website you visit now informs in one way or another that,

This site uses cookies

These sites use cookies, some like to tell you in more obtrusive ways than others.

Exploring the web is now a bombardment of popups and adverts, akin to the days of the early web where you could be bombarded by rampant popups on a minute by minute basis. It’s not that bad, but it does gradually erode your willpower and with every “Accept” button I tap, I care less and less. If anything, it fuels my frustration when following a link lands you in yet another negotiation about cookies or privacy. Don’t get me wrong, the legislation is a step forward for the rights of every person whom, in a digital age are relinquishing more and more personal information than ever before; but it has come at a cost. It doesn’t have to be this way though, so what are the benefits of the GDPR and do we have to continue to deal with the annoying banners, popups and notifications about cookies and privacy?

Three popular sites have three different ways of communication for the same purpose.

The aim is to promote transparency and give greater control to users rather than companies who may have, in the past, been using much more data than you could imagine. Some of this data is useful for personalizing your experience but some websites can take advantage of the amount of data they collect from you or hide their intent within a legally fortified privacy policy. So what are some of the rights the GDPR ensures?

Portability

You can move your personal data to another service/website/app freely. This could take many forms but could often be as simple as allowing you to save your data in a readable format so you can import to whatever new place you choose.

Object

You have the right to object to automatic profiling. Some information may be used to discriminate against you or market to offer targeted marketing. You can request that this information is disregarded.

Rectification and Restriction

Update your details freely. Sounds simple enough but this also includes advertising preferences and consent to how your data is used. Just because you agreed to something in the past, doesn’t mean you should be locked in forever.

Be Forgotten

You have the right to request that your data is deleted. You may not want an old profile sticking around to haunt you.

Be Informed

This is the right that has the biggest impact on daily web activities. You should be informed what data is being used by the website, what is being done with your data, who it’s being shared with and how long the website intends to keep it. This most often takes the form of the banners we all know and hate.

You may be asking, “Why is this a problem? It’s better to know how my data is used so I can make the decision!” and you’re right. It is a right to know how our data is being harvested and whether we should allow a site to do so. What I am proposing is a way to get the best of both worlds. To browse the web unfettered by pesky popups and blaring banners begging for your attention on every new site you visit. So what other options do we have?

Protecting a Walled Garden

Stepping away from the web for a moment, let’s take a look at some approaches to privacy that have been adopted to various degrees with varying success by some other ecosystems.

The Microsoft Store is a good example of how it lets users know what permissions an app could use before you install it. Although this is not practical for the web, the benefit of a storefront like Microsoft’s, is that each app must define the permissions it wants to use in a manifest. It’s standardized and readable, although it’s unclear how obvious it is to the average user. The difference is, however, each app is required to have these permissions submitted to the store and Microsoft could choose to utilize this information in a variety of ways. It could be possible to filter apps by the permissions they request or for this list of permissions be factored into parental controls.

The Facebook Messenger app in the App Store has limited permissions information upfront but has a good range of per app permissions in settings

Apple’s approach on iOS is a little different, the App Store doesn’t explicitly show what permissions an app could request but once you have installed an App, you have control over some important settings. This is an important feature that would be welcomed by myself on the web. Per site permissions in one place would give a much greater level of control over how what permissions we give to sites. Permissions you give a site shouldn’t be fixed forever, websites can change and our trust of websites can too change over time.

So what’s the point? You can visit any number of sites in a day and see any number of ways they inform you of what data they want. Websites can communicate in a variety of ways but it’s their discretion of how easy or difficult they want to make it. Some sites might have a friendly, structured matrix or bulleted list while others will simply link to their privacy policy and be done with it. This is not always for nefarious purposes, however when was the last time you *really *read a privacy policy? It become difficult to digest the important information when you encounter so many different popups and banners every day. I think this could be improved with a little help from browsers and standards.

Web APIs allow for standardization across web browsers, although each browser vendor can choose how they want to implement the intricacies, there is a common consensus. Some web API’s already exist for what people see as some of the most important forms of privacy. You have to explicitly give your consent if a website wants to do any of the following:

use your physical location
access your device’s microphone
access your device’s camera

So could we have something similar for cookies and other consents mandated by the GDPR? There are some good features in place including Do Not Track but I think there is room for improvement.

I propose a set of preferences stored by the browser’s user account that stipulates how you want your data to be handled by default.

The kinds of permissions you generally choose would affect every site.
If a site requests permissions or more data than you’re prepared to give then you have to explicitly give consent but it’s really up to the specification and how browsers want to implement it.

This approach would waive the need for each site to display their own cookie consent messages and bring a common, understandable interface so you can focus on the intent of a websites cookie policy and not be pawned off to a seemingly endless document full of legal jargon and endless appendices (unless you need it or are into that kind of thing).

Privacy and data agency is an important right both online and offline. It’s important to know how your data is being used and whether or not you want your data to be used but the current form of communication is a troublesome distraction on the web. It doesn’t have to be, I hope I’ve sparked some interest in seeking change for a more calming web browsing experience in an often busy world.

The cookie icons in this header image are from FontAwesome.