Has the cookie banner crumbled?

Tolerate them or hate them (I’m not sure many people love them), cookie banners have been a part of online life for a few years now. But could that all be coming to an end? Over the last few days Elizabeth Denham, the UK’s Information Commissioner, has been chairing a meeting with G7 authorities at which she has presented her suggestion for improving the current cookie consent mechanism. Her plans, the ICO says, will make “web browsing smoother and more business friendly while better protecting personal data.”

The problem with Cookies

Critics of the current system argue it is costly to businesses, provides a poor online user experience and also fails to obtain meaningful consent - people just click ‘I agree’ without fully understanding what that means. Denham says: “I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like.”

The suggested solution

The ICO’s suggestion is that web browsers, software applications and device settings should allow people to set their own (lasting) privacy preferences, rather than them have to express a preference each time they visit a website. This should help improve the user experience, minimise the use of personal data and ensure people’s privacy preferences are respected. The suggestion is not new – reference to the use of browser settings etc. has been included in legislation for some time now, and the ICO acknowledges the approach is already technologically possible and compliant with data protection law. However, it is likely to require co-operation among different standards organisations and/or tech firms. The ICO is therefore encouraging international collaboration in this area as it believes the G7 authorities could have a ‘major impact in encouraging technology firms and standards organisations to further develop and roll out privacy-oriented solutions to this issue.’

The response

The ICO, and UK more generally, has faced criticism from privacy activists. For example, the Open Rights Group argues that most cookie banners currently in use, and the data collection that sits behind them, are unlawful. While it does not oppose the ICO’s call for automated signals, it argues that, in the meantime, the ICO should be enforcing the law.

The EU is also likely to be watching developments closely, particularly as this is part of the Government’s plans to reform UK data protection laws. We have already, for example, seen an ICO consultation regarding international transfers and plans to agree new data arrangements with countries such as the US, Singapore and Australia. 

While the EU has generally warned that divergence from EU law could risk the UK’s long awaited adequacy decision, culture secretary Oliver Dowden recently told the Daily Telegraph that “there is an opportunity for [the UK] to set world-leading, gold standard data regulation which protects privacy, but does so in as light touch a way as possible.” He also said that the new Information Commissioner would “shake up” the data rules, including those around cookies - Denham’s term ends on 31 October and she is set to be replaced by current New Zealand Privacy Commissioner John Edwards. 

A shake-up may be welcomed by some, particularly given the failures of the current approach to cookie compliance. However, it is important to get this right given the increasing amounts of data being collected online. Assuming the ICO’s cookie plans are successful, it will also take time for them to be developed and adopted. In the meantime, it may face further criticism regarding its current enforcement approach around cookies, particularly given a number of recent fines (see our blog) in other jurisdictions.