Cookie alerts: the accessibility horror story
Here's a story about how the whole web was made unaccessible by a law that started in a quest to secure our privacy.
I've found some insightful materials about why cookie alerts suck regardless of accessibility concerns. In particular, the Silktide company has not only discussed it on their blog (here and here), but even created nocookielaw.com to stand against the stupid law. I'd like to summarize the general issues before digging deeper into accessibility.
Here's the list of main ideas that stood behind the "Cookie law" and my comments on them:
- Cookies reused across multiple websites, like those collected by Google or Facebook, help collecting lots of behavioral data on the web user. This is a real problem, but which cookie alert really tells that? Those real privacy concerns are not handled at all and large companies get away with it.
- With the evolution of HTML5 and Local Storage, there's a growing number of ways in which websites could persist data on your computer without your knowledge. But the thing is, only browsers can know and enforce what is being used by a website. Also, there's Flash and Java, so why just cookies?
- First, you were supposed to interactively opt in for cookie use. Then the law changed to favor implicit opt in with info about how to opt out. This ambiguity resulted in a multitude of generic JS solutions, which just couldn't really disable cookies or session tracking. Even if you close the browser instantly after reading the warning, your visit was probably already registered by Google or Facebook.
- In general, you were supposed to recognize a website that doesn't care about your security by the lack of cookie note. But it's the contrary: after having to dismiss the same stupid generic message (just packed in different shiny package) over and over, you end up falling in love with websites that don't poster you with it.
Obviously, this law was created without even a basic technical understanding of the real problem. And it was created by people unable to predict its practical consequences. Let's talk about these.
I'll refer to basic accessibility guidelines from my Introduction to web accessibility article in order to show which rules are broken by cookie alerts that are a consequence of the cookie law.
No unified experience
With hundreds of JS plugins and custom solutions rolled out, you'll enjoy a new unique cookie alert experience on almost every single website. For a well-sighted person, finding the [X] button that becomes a magical gateway to a page underneath it may seem like a "funny puzzle" to solve. Or an annoyance if they really are in a hurry to get the job done. For a person with disabilities it means having to learn how to close them every time.
To make things worse, it's not uncommon for the [X] button to disappear completely after zooming the page. Sometimes it's so small it's hard to hit it. Doesn't matter if your sight is poor, you have motor issues, you're using iPhone inside a shaky train or you're just tired or in a hurry. And sometimes, alert has some funny HTML structure that screws with the assistive software. And finally, this [X] may not even have a textual label, so it's hidden to that software anyway.
This scores a hat-trick in the guidelines, breaking All items exposed, All exposed items labeled and All interactions supported rules all at once. And it would be enough to conclude this article, but unfortunately that's not all.
No way to opt out
Ironically, even if you have cookies disabled, alerts will often still poster you. This only adds up to an already large list of reasons why they're just a plain stupid idea in the first place. There's no way to opt out. Or maybe there is, but only if you fallback to content blocking extensions.
By the way, you should know one thing about people with accessibility issues. They're often like the so-called "power users" and usually have a very customized web browsing workspace. This includes using many unusual browser settings and opting out of every browser feature that makes life harder for them. For some it's better without images, without fancy fonts or without the whole CSS. In this regard, cookie alerts are a real party killer for them.
Cookie alerts often use containers with
fixed positioning. I've already described how much a content with this positioning may ruin the All items exposed rule when zooming. And it's just plain annoying, especially on mobile.
This also holds true for modals which are sometimes used for cookie alerts, too. Modals are universally recognized as bad UX these days, even by accessibility unaware web dev folk.
I suppose the idea behind fixed divs or modals for the alerts was to enforce the user opting in for cookies prior to using the website. But as I wrote above, it just doesn't solve the problem. Most of the web behavior collecting hooks have already executed even before you had a chance to opt in.
The cookie message is usually written in convoluted and/or generic manner. There's simply no real, straight information about the content of the cookie and privacy-related consequences for the user. Here's what you get instead:
That's usually followed by a few equally pointless sentences. I instantly recognize this as gibberish and stop reading. But what about visitors with dyslectic or cognitive impairment? They may actually go on a suicidal mission and try parsing it. And speech synthesis users that read the whole page from top to bottom will also enjoy the whole thing. They'll certainly feel lucky.
I'm not all about complaining though. I get that sometimes we just need to get our work done and so does the government in its effort to protect our privacy (no matter how poor). But in this case they just didn't and not only was our UX hurt but our privacy means just as little to the big players as before. So here's how I would approach this:
- browsers themselves, as the only entity actually capable of that, could limit privacy-critical functionalities for specific websites and ask users for permissions in a clear way
- being a part of browser interface, this info would be presented in a way optimized to every platform, and it could be easily disabled by users that know what they're doing
- users could be presented with a standardized, familiar list of security concerns that they're requested to accept on a particular website (like with apps on iOS and Android)
- this could be enforced by a government-recognized W3C standard which could become a foundation for web privacy just like the WCAG 2.0 is for the web accessibility
I know it's just a draft and not a complete solution, but neither is what we already have.
We can once again conclude that accessibility basically equals usability and so the issues in this area affect not just a small niche of visitors but everyone. From a regular web surfer with an iPhone in a hand to a blind or otherwise impaired person.
I hope you can see now, in case you didn't already, that the idea behind the cookie law was moronic. Unfortunately, the consequences of cookie alerts spreading across the web are severe. But we can spread a word about this issue and hope that the web will be cured with time. And that we'll learn from this experience when the next big misguided "web invention" comes up.