Europe Needs Browser-Level Cookie Consent Controls - Privacy Group

Automated Browser Signals Proposed to Tackle Cookie Consent Fatigue

European privacy advocacy organization, noyb, has unveiled a technical proposal for an automated browser-level signal. This initiative follows a recent campaign addressing widespread violations of the region’s cookie consent regulations.

Advanced Consent Choices for Users

The proposed system aims to streamline user control over data consent. It would allow individuals to configure advanced preferences, such as receiving cookie requests only after frequent website visits. Users could also create whitelists of sites where they wish to support quality journalism by allowing data usage for advertising.

This approach seeks to bypass the frustrating user experience created by manipulative consent designs. By automating consent decisions, interruptions would be minimized according to user-defined settings.

The Rise of Cookie Banners and Compliance Issues

Following a 2018 update to the EU’s privacy rules (GDPR), cookie consent banners proliferated, particularly on websites reliant on targeted advertising. These banners often present users with complex and opaque menus of “trusted partners” seeking data access.

Many current implementations are considered a mockery of genuine compliance, failing to provide the simple choice envisioned by the law. noyb’s ongoing campaign involves filing complaints against sites deemed non-compliant with requirements for clear and free consent regarding data usage for advertising.

Echoes of “Do Not Track” and Recent US Initiatives

This follow-up proposal, detailing how an advanced control layer could function, shares similarities with the “Do Not Track” proposals from 2009. However, those earlier efforts failed to gain industry-wide acceptance.

A more recent push in the U.S., spurred by California’s California Consumer Privacy Act (CCPA), aims to revive the concept of browser-level privacy control. The CCPA mandates businesses to respect user opt-out preferences signaled through their browser.

Granular Control and Alignment with EU Law

noyb’s version of browser-level control aims for greater granularity, aligning with the EU’s nuanced legal framework for data protection. It highlights Article 21(5) of the GDPR, which already permits automated browser signals to inform websites about user consent status.

The proposed ePrivacy Regulation, a delayed reform of the bloc’s electronic privacy rules, also includes similar provisions.

Potential Hindrances and the Role of Consent Management Platforms

Despite these legal foundations, development of such a signal has been lacking. noyb suggests that manipulative consent management platforms may have actively hindered privacy-focused innovation.

However, the organization believes momentum could build, citing Apple’s recent enhancements to user notification and control on iOS. These features allow users to track app tracking requests and easily deny all third-party tracking.

Extending Privacy Controls to Desktop Browsers

noyb questions why desktop users shouldn’t have access to similarly advanced privacy controls. EU lawmakers are currently debating the ePrivacy Regulation reform, and the group aims to demonstrate how automated control technology could address “cookie consent fatigue.”

Legal Binding and the ePrivacy Regulation

For automated signals to be effective, they must be legally binding, preventing adtech companies from ignoring them. A clear legal basis within the ePrivacy Regulation could facilitate this within a relatively short timeframe.

Concerns exist that the ePrivacy reform, stalled for years, could weaken the EU’s data protection framework due to industry lobbying. Negotiations are ongoing, and the final outcome remains uncertain.

Potential for Legislation and Browser-Level Control

The European Council has expressed a desire for companies to reduce “cookie consent fatigue,” potentially through browser-based whitelisting of cookie types and providers. This suggests a possible path toward legislating an effective browser-level control layer in Europe.

Introducing the ADPC: Advanced Data Protection Control

noyb has published a prototype and technology specification for the Advanced Data Protection Control (ADPC). The framework was developed in collaboration with the Sustainable Computing Lab at the Vienna University of Economics and Business.

The proposal envisions web pages sending privacy requests in a machine-readable format, with the ADPC transmitting responses via header signals or JavaScript. noyb compares the system’s intelligent query management and automatic responses to an email spam filter.

Max Schrems on the ADPC’s Capabilities

According to chairman Max Schrems, the ADPC goes beyond a simple “opt-out” to align with the EU’s legal framework. He states that the system is more flexible and specific than previous approaches.

“ADPC allows intelligent management of privacy requests. A user could say, for example, ‘please ask me only after I’ve been to the site several times’ or ‘ask me again after 3 months.’ It is also possible to answer similar requests centrally,” Schrems explained.

“With ADPC, we also want to show the European legislator that such a signal is feasible and brings advantages for all sides,” he added. “We hope that the negotiators of the member states and the European Parliament will ensure a solid legal basis here, which could be applicable law in a short time. What California has done already, the EU should be able to do as well.”

European Commission’s Response

The European Commission is currently assessing noyb’s ADPC proposal. An official stated that reducing the burden of cookie consent requests and avoiding “consent fatigue” is a key objective of the ePrivacy Regulation.

The official also emphasized the importance of respecting end-user control over their equipment and noted that the Commission is considering suggestions from stakeholders and experts.

The Future of Tracking Cookies and Alternative Adtech

Alongside these developments, the industry is exploring alternatives to tracking cookies. Google proposes replacing current adtech infrastructure with a “Privacy Sandbox” stack, claiming it will be more privacy-respecting.

However, Google’s plan is under scrutiny from antitrust regulators. The U.K.’s Competition and Markets Authority (CMA) is considering concessions that could prevent Google from disabling tracking cookies.

Concerns About Alternative Adtech and the Need for Control

Even if tracking cookies disappear, questions remain about the privacy implications of alternative adtech infrastructure. Google’s “Privacy Sandbox,” which targets ads based on user “interests” assigned through on-device analysis, has raised concerns about exploitative advertising.

Browser-level controls could allow users to opt-out of being placed in “interest buckets” for ad targeting, preferring contextual ads instead.

The Broader Context of Consent and Google’s Actions

The issue extends beyond cookies, as evidenced by Google’s decision to avoid initial trials of its tracking cookie replacement technology (FLoCs) in Europe. This highlights the complexities surrounding consent and data privacy.