UK ICO Calls for Browser Controls to Address 'Cookie Fatigue'

The Shifting Landscape of Online Privacy and Cookie Consent

Recent discussions in the United Kingdom regarding data protection have revisited the concept of “do not track,” with the nation’s data protection chief advocating for browser- or device-level settings to manage cookie preferences. This suggestion aims to address the proliferation of consent pop-ups experienced by internet users within the region.

A Sense of Déjà Vu and Growing Frustration

European web users encountering this development may experience a sense of familiarity, and perhaps even frustration, given the ongoing debate surrounding cookie consent. Concerns are rising that individuals are being repeatedly asked for consent, potentially leading them to grant access to more personal data than they intend.

Government Considerations and Potential Changes

U.K. digital minister Oliver Dowden has criticized the “endless” stream of cookie pop-ups, indicating the government is exploring potential adjustments to consent requirements for web tracking. These considerations stem from a desire to diverge from European Union data protection standards following Brexit.

A Call for International Collaboration

Elizabeth Denham, the U.K.’s outgoing information commissioner, has urged G7 countries to collaborate on a unified approach. She proposes allowing users to express general privacy preferences at the browser, app, or device level, eliminating the need for repeated consent requests on each website.

Addressing Fatigue and Improving User Experience

Denham highlighted that many individuals are “tired of having to engage with so many cookie pop-ups,” leading to unintentional data sharing. She also acknowledged the burden these mechanisms place on businesses, citing costs and a potentially negative user experience.

The Need for a Coordinated Approach

With nearly 2 billion websites navigating global privacy preferences, Denham emphasized that a single country cannot resolve this issue independently. She called upon G7 colleagues to engage with technology firms and standards organizations to develop a coordinated solution.

Exploring Browser-Level Preferences

The ICO spokeswoman explained that the proposed solution involves shifting attention from individual websites to browsers, applications, and devices. Users could establish and update lasting, generic privacy preferences through these platforms, rather than encountering pop-ups on every website they visit.

The History of “Do Not Track” Signals

The concept of a browser-based “do not track” (DNT) signal is not new, dating back approximately a decade. Previous attempts to integrate user privacy preferences into browser settings were unsuccessful due to a lack of industry support.

A New Approach to Lasting Preferences

Denham’s advocacy for “lasting” preferences may differ from earlier DNT proposals, given her emphasis on collaboration with the tech industry and the development of “practical” and “business-friendly” solutions.

Potential for Profile-Raising or Genuine Change

The impact of this call for collaboration remains uncertain. Some speculate that Denham’s statement may be an attempt to elevate her profile before leaving her position as information commissioner.

Previous Attempts at Global Privacy Standards

Prior efforts to establish global privacy standards have also emerged. For example, a U.S.-centric tech-publisher coalition introduced the Global Privacy Standard (GPC), aiming to promote a browser-level signal to prevent the sale of personal data.

The Advanced Data Protection Control Proposal

European privacy group noyb proposed the Advanced Data Protection Control (ADPC), a technical solution for a European-centric browser-level signal. This would allow users to configure advanced consent choices aligned with the EU’s comprehensive data protection framework.

Substance Versus Profile-Raising

Denham’s call to the G7 appears to lack specific technical details or references to existing proposals. This raises questions about the substance behind the initiative and whether it is primarily focused on raising her profile.

The Core Issue: Lack of Enforcement

A fundamental challenge remains the lack of enforcement regarding breaches of cookie consent regulations, including by the ICO itself.

The Timing and U.K. Data Reform

The timing of Denham’s call coincides with the U.K.’s plans to “reform” domestic data protection laws post-Brexit, raising questions about potential opportunism and opacity.

Industry Reactions and Potential Outcomes

The adtech industry will closely monitor developments in the U.K., potentially welcoming amendments that allow websites to avoid obtaining explicit consent for data processing.

The ICO’s Role and Past Inaction

Critics point to the ICO’s past failure to address adtech abuse of data protection, despite acknowledging the sector’s lack of control. This inaction has contributed to the proliferation of cookie pop-ups and user fatigue.

Widespread Regulatory Failures

The lack of enforcement extends beyond the U.K., with many EU regulators also failing to address systematic abuse of data protection rules by the adtech sector.

France’s Proactive Approach

France’s CNIL has taken a more active stance, issuing significant fines to Amazon and Google for dropping tracking cookies without consent.

The Problem of “Faux Consent”

Many cookie pop-ups are considered “privacy theater,” appearing to comply with regulations while still enabling data collection. These pop-ups often fail to meet legal standards for consent, providing unclear information, penalizing rejection, or manipulating user choices.

The Risk of Weakening Standards

There is concern that the focus on “cookie fatigue” could be used as justification for weakening data protection standards, potentially benefiting the adtech industry at the expense of user rights.

The Need for Robust Enforcement

Laws like GDPR set high standards for consent, but robust enforcement is crucial to ensure compliance and promote privacy-respecting practices.

A Call for Systemic Change

The focus should be on addressing the systematic law-breaking that hinders innovation and disadvantages businesses that prioritize data protection.

The Potential for a Race to the Bottom

The U.K.’s potential divergence from EU standards could trigger a “race to the bottom” in privacy regulations among Western democracies.

The Importance of Protecting User Rights

Protecting user rights and promoting privacy-respecting advertising models should be prioritized over accommodating the interests of the adtech industry.

Addressing the Root Causes of Fatigue

The issue of cookie fatigue stems from widespread non-compliance and manipulative practices, not from the standards themselves. Regulatory failure has created a situation where users are constantly bombarded with intrusive pop-ups.

A Skeptical Outlook

Given the ICO’s past inaction, skepticism is warranted regarding its current call for action on cookie fatigue.

The Path Forward

Ultimately, addressing the cookie consent issue requires robust enforcement of existing regulations, a commitment to privacy-respecting innovation, and a rejection of attempts to weaken data protection standards.