ICO’s call for G7 collaboration on cookie pop-ups raises questions

The UK privacy watchdog has called on fellow G7 data protection authorities to coordinate on tackling cookie consent pop-ups – but questions remain about the commission’s focus and how the measures might work in practice.

UK Information Commissioner Elizabeth Denham today said she would lobby other G7 data protection authorities to implement technical solutions that would allow people to set lasting privacy preferences through their web browsers, software applications and device settings, rather than having to respond to individual pop-ups.

“I often hear people say they are tired of having to engage with so many cookie pop-ups,” Denham said. “That fatigue is leading to people giving more personal data than they would like.”

The Information Commissioner’s Office (ICO) said the approach is “already technologically possible and compliant with data protection law”. It believes the other G7’s data authorities – in the US, Japan, Canada, Germany, Italy and France – could play a major role in convincing the industry to build alternatives that emphasise privacy.

“There are nearly 2 billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone,” Denham said.

Denham will soon step down as Information Commissioner; current New Zealand privacy chief John Edwards is set to take over. While announcing that Edwards was the UK digital ministry’s preferred candidate, minister Oliver Dowden unveiled post-Brexit data policy that signalled a shift away from the EU’s GDPR framework. 

Dowden also took aim at “endless” cookie pop ups, which he considers “pointless bureaucracy”. While rules around cookies pop-ups precede the GDPR, there is overlap – particularly around gaining user consent when processing personal data.

Analysis

Rohan Massey, a partner at Ropes & Gray, said today’s announcement was aligned with details that have emerged about the UK’s new data strategy.

“It is positioning the UK’s approach as quite clearly separate from that of the European Union, so it will be interesting to see what gravitas that has, on the basis that the UK is looking to establish new relationships with a lot of other jurisdictions other than the European Union,” Massey said. 

“The UK is looking for flexibility in its approach to data protection while underpinning the regime that it has, which follows good data protection principles. But it seems to want to have them applied more flexibly so that there’s a greater focus on end results rather than requirements to follow exact administrative and technological steps,” he said. “If you can get the same result – ie protection of personal data, protection of individuals’ rights – isn’t that the better output than saying you’ve followed GDPR or another legislation to the letter?”

Massey also individual cookies’ lifespan should be taken into account in light of Google and Apple’s repositioning of online trackers, which is prompting the development of new technologies. “The question is: is this coming a little bit too late from the regulators?”

Phil Lee, a partner at Fieldfisher, said it was “a nice idea, but likely to prove a very tall order in practice.”  

“Of the G7 countries, France, Germany, Italy and the UK have all been subject to cookie consent laws for over a decade and, in that time, have failed to achieve a consistent, harmonised regulatory approach to cookie consent across the EU and UK,” Lee said, noting that implementing cookie consent standards was particularly likely to meet “fierce resistance” in the US, which lacks a federal privacy regime.

Lee said cookie consent “is a deceptively simple idea that continues to prove infuriatingly difficult to get stakeholders to reach agreement on.” He pointed to the ongoing debate about the treatment of cookies under the draft EU ePrivacy Regulation as an example.

“The principle is straightforward – ask someone for consent whenever you access or store information on their device unless the access is ‘strictly necessary’ to provide a service they have ‘explicitly requested’ – but implementation is much harder,” he said.

Lee said that without “very careful thought and balanced regulation”, there can be unintended negative consequences, such as impairing data collection necessary to combat fraud. 

“With all that said: big things don't happen without big ideas, so I'd be delighted to be proven wrong,” he said. “However, I'm not yet convinced the policymakers have a sufficiently strong understanding of cookie consent complexities to reach the kind of alignment proposed here.”

Tim Hickman, a partner at White & Case, said: “It is curious that the ICO has done this at a G7 level – it’s obviously a different approach. Because what the EU had done is say: ‘These are our rules and we’re just going to enforce them globally’. Whereas the ICO seems to be saying: ‘No, we need to get together with a bunch of jurisdictions that have fundamentally different approaches on these issues and try to come up with a uniform solution.’ 

Hickman said this was a good idea in theory, but pointed to the length of the negotiations around Schrems II on the narrow issue of transfers of personal data from the EU to the US. “I think getting the whole of the G7 to take a uniform approach to cookies is probably going to take a lot longer than that,” he added.

Hickman also pointed to the fact that it’s unclear whether the European regulators would even be able change rules around cookies, as they are bound by the GDPR, as well as divergent approaches to privacy within the G7.

“I suspect the challenge here is going to get everyone to agree on a high-level concept, but even if that is achieved, it will be: ‘How do we actually ensure that this is uniformly enforced?’” Hickman said. 

Jon Baines at Mishcon de Reya, said: “It's notable that the commissioner is identifying this as an important policy area, and one with global implications, but it is difficult to see how the issue of cookie notices and pop-ups can possibly be addressed without robust attention and enforcement being given to underlying questions about the legality of the cookies, and the adtech economy, themselves.”

Baines noted that there was no mention of the ICO’s ongoing investigation into aspects of adtech, and it was unclear whether it was connected to today’s announcement.

"What also stands out is the lack of any reference to the laws which apply in this area” – primarily the ePrivacy Directive, GDPR and UK GDPR. “Is the Commissioner indicating that the laws have failed? And, if so, might we see new UK laws in this area – thus risking divergence from the EU?”

Eliot Bendinelli, a technologist at Privacy International, said: “More importantly, consent banners are part of a larger online tracking ecosystem that aims at profiling people.” He added that “cookie banners are only the tip of the iceberg.”

“This said, we appreciate that G7 data protection authorities are collaborating to tackle this issue by proposing alternatives and solutions such as system level settings, but we are wary of how such a solution might be developed and implemented,” Bendinelli said. 

“Default settings can be a double edge sword if not explained clearly or presented to users in a thoughtful way,” he said. “Finally, dealing with the consent banner won't necessarily fix the larger problem created by online tracking.”