California voters approved a privacy-oriented ballot measure in November that creates an incentive for companies to stop pestering you about cookies. It can be hard to tell from many of the pop-ups, but businesses are asking you to give them permission to install small files on your web browser so they can sell or share data about your browsing habits. The process for making these messages less common is already underway.
The California attorney general is tasked with defining a browser setting that will let you automatically tell websites not to share or sell your data. By the time the new law comes into effect in 2023, major web browsers are expected to offer the setting as a privacy feature. At that point, companies will get to remove a button that says "Do not sell my personal information" from their websites if they honor the browser setting without splashing pop-ups across your screen asking you to opt back in to the sale of your data.
The cookie pop-ups come from a well intentioned place. In an effort to give Californians more control over their privacy, an earlier state law gave consumers the right to opt out of the sale of their personal data, including their web browsing habits. But the cookie pop-ups often do little to inform users of their privacy rights, instead urging them to just click "okay" to clear their screens from distractions.
The more recently approved law aims for something rare: privacy protection without constant interruption. It may sound small, but pop-ups are already indignities that slow down your workflow or, more likely, chip away at the joy of wasting time online. Pop-ups that simply annoy when they're meant to protect consumers add insult to injury.
Here's more about how the change could come about, and how soon you can say goodbye to cookie pop-ups.
Explain to me again why we have cookie pop-ups?
Californians started seeing these pop-ups a lot after a state law called the California Consumer Privacy Act, or CCPA, went into effect this year. Spearheaded by Alastair Mactaggart, a Bay Area real estate developer, the law gives consumers the right to ask companies to delete their personal data and to not sell it. The data covered includes browsing habits.
Businesses subject to the law have to let users opt out of the sale of their data. As a result, companies are required to tell visitors to their websites how their data might end up in the hands of third parties, often in the form of pop-ups. They can also ask users to opt back in, also with pop-ups.
Because of California's overwhelming size and economic importance, some companies have made following the state's law their default practice. As a result, the pop-ups have been popping up outside the Golden State, too.
Why are the pop-ups so obnoxious?
People don't like cookie pop-ups. Elon Musk complained about them on Twitter, and a cottage industry of browser extensions that block the pop-ups has flourished. (CNET doesn't vouch for these extensions.)
The system isn't ideal, something Mactaggart acknowledges. "It's frustrating when you go through those links," he said. "The whole thing's confusing."
How will the new law reduce cookie pop-ups?
The new law, also supported by Mactaggart, updates the CCPA. The law doesn't ban cookie pop-ups, but it creates an incentive that advocates hope will make them far less common.
Companies have a choice. They can honor the browser setting, which will be a simple feature you can turn on or off to tell companies not to sell or share your data and stop asking you to opt back in via pop-ups or other requests. Or the companies have to display a button on their websites that says "Do not sell my personal information."
If companies take the first choice, "you're able to browse and know that the website is not selling your information," said Ashkan Soltani, a privacy expert who has worked with a group of like-minded technologists to develop a browser setting called the Global Privacy Control. Soltani and his colleagues hope California will adopt their setting as the standard in the state's privacy regulations.
Will companies really stop asking me to let them sell my data?
The new law's advocates are banking on it. According to Mactaggart, companies don't like having to display the button that says "Do not sell my personal information" because it reminds consumers that most companies are collecting their data all the time.
If companies can get out of displaying that text, they'll stop asking users to opt back into the sale of their data, he says. We won't know how effective the law will be until it's enforced in two years.
Will I benefit from this if I don't live in California?
The cookie pop-ups aren't limited to Californians' web browsers, something Carnegie Mellon University privacy expert Lorrie Cranor noticed from personal internet use on the East Coast. "Even when you're not in California, you get a lot of it," she said.
If the law is successful, non-Californian web users are likely to see fewer of the interrupting messages.
Additionally, companies including Mozilla and Microsoft have already extended privacy rights guaranteed in the previous California privacy law to all US users. Businesses may do the same thing with the new law, proactively offering to honor the browser setting beyond California.
Do I really have to wait until 2023 for all this to come into effect?
The law won't be enforced until 2023, but you'll see some benefit sooner. In the coming year, you can look forward to major web browsers rolling out settings that let you tell websites not to sell or share your data.
Some privacy-oriented browsers and browser extensions already offer this setting, including the Brave browser, the DuckDuckGo Privacy Browser and the EFF's Privacy Badger browser extension.