The ICO and the UK Government agree that the current approach to regulating cookies doesn’t work, for people or businesses - ‘Cookie fatigue’ (users being overwhelmed by cookie pop-ups) has resulted in a lack of meaningful user engagement with the consents requested in cookie pop-ups. Since the ICO published its plans on how to tackle the issue, with the help of its G7 counterparts (see our blog), the Department for Digital, Culture, Media and Sport (“DCMS”) has launched a consultation proposing changes to the UK’s data protection and cookie rules. On 6 October 2021, the ICO responded to that consultation.
The new plans proposed by DCMS include a “browser-based solution” where, on a one-time basis, users decide upfront what data they consent to being collected through cookies. This is then respected and applied across all the online services those users access. The ICO support this approach (unsurprisingly, given it is the approach they had recently suggested to the G7). They consider this proposal would allow meaningful consideration by users of the categories of data they are comfortable being collected. Both the ICO and the UK Government note this is not a quick fix however, and would require significant international cooperation. Nonetheless, this solution is certainly workable as there are already several similar cookie blockers available as browser extensions, with one having over 500,000 users.
The DCMS also propose expanding the categories of data that can be collected through cookies without explicit user consent. Under the current cookie rules, consent is not required if the cookie is deemed strictly necessary for the operation of the service. The DCMS suggest adding the following categories to this group:
- Analytics cookies: this proposal is supported by the ICO, subject to (as the DCMS also note) appropriate safeguards to ensure such processing has a low impact on user’s privacy and a low risk of harm. Interestingly a similar approach has been taken in France.
In addition to responding to the DCMS’s plans, the ICO used its consultation response to recommend that the UK Government considers legislating against cookie walls (cookie pop-ups with no ‘reject’ option) altogether.
To strengthen the bite of their potential proposals, both the ICO and DCMS support aligning fines under the Privacy and Electronic Communications Regulations (“PECR”), which govern cookies, with the fines available under the GDPR. This would raise the potential fine limit from £500,000 under PECR, to the GDPR limit of the higher of £17.5m or 4% of global turnover. If accepted by the UK Government, this would certainly push cookie compliance up the risk agenda for many organisations, particularly given the current levels of non-compliance.
With thanks to Tom Hurleston for helping with research.