The UK’s Information Commissioner’s Office (ICO) has today called on data protection authorities from other G7 countries (Canada, France, Germany, Italy, Japan and the USA) to work together to find an alternative to online cookie consent pop-ups. Information commissioner Elizabeth Denham says that overhauling the current system will more meaningfully protect user privacy, and create a better web browsing experience.
“I often hear people say they are tired of having to engage with so many cookie pop-ups,” said Denham. “That fatigue is leading to people giving more personal data than they would like.”
Denham said that international cooperation provides the best hope of proposing practical alternatives to cookie pop-ups, rather than just setting laws unilaterally and waiting for publishers and tech companies to find solutions.
“There are nearly two billion websites out there taking account of the world’s privacy preferences,” she said. “No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge.”
While the ICO plans to discuss exactly what these alternatives will look like with other G7 data protection authorities, the regulator has laid out its own preferences. The ICO says in its own vision for the future, web browsers, software applications and device settings would allow people to set lasting preferences of their choosing, rather than having to consent on a site-by-site basis. But by coordinating with other G7 countries, the ICO hopes to find solutions that will work and be enforced internationally.
We’ve already seen international cooperation around cookie popups, namely through the EU’s General Data Protection Regulation (GDPR). GDPR was designed in part to prevent cookie pop-ups from causing users to give away more data than they’d like, by mandating that users opt-in to use of their data, and giving more control over who that data is shared with.
But even now, over four years after GDPR came into force, many websites’ cookie notifications remain unchanged. And for some of those who’ve changed their cookie pop-ups in light of GDPR, the mechanism has become even more cumbersome, with users having to click through multiple pages and toggles in order to register their preferences. Overall, the user experience remains frustrating.
Hugely consequential, despite shift away from cookies
In many ways, the ICO’s suggestions look like they’re trying to push the industry in a direction that it’s already heading.
Google’s decision to kill off third-party cookies in Chrome has forced the industry to look beyond the cookies. And some of the alternative solutions for targeting users and measuring ad performance, such as those proposed within Google’s privacy sandbox, collect consent at the browser level – in line with the ICO’s vision.
But today’s announcement could still be hugely consequential for two reasons.
Although third-party cookies will become largely irrelevant once they’re killed-off on Chrome, first-party cookies will remain an important piece of the advertising puzzle. And publishers will still have to ask for consent to drop first-party cookies when they’re used for non-essential purposes, including advertising. So while cookie pop-ups might become less complicated once third-party cookies are taken out of the equation, they’re unlikely to disappear entirely without regulatory action.
And with preferences set at the browser level, it’s possible that publishers would see lower opt-in rates to non-essential cookies, which could hamper their ability to collect first-party data. This could also affect some cookie alternatives, which use first-party cookies to store data on a site-by-site basis.
Secondly, the ICO seems to be targeting the user experience associated with cookie pop-ups, rather than cookie pop-ups themselves. So it’s very plausible that these same principles will be applied to consent mechanisms for cookie alternatives.
Again, many of these are designed to provide a more palatable user experience anyway. For example Unified ID 2.0, one of the more popular solutions, lets users set their preferences once, with these preferences then saved and applied across different websites and devices.
But any solutions which aren’t in-line with the ICO’s vision for the future might need a rethink.
