After years of inaction against adtech, UK’s ICO calls for browser-level controls to fix ‘cookie fatigue’ – TechCrunch

The UK's data protection chief has endorsed a browser- or device-level setting that allows Internet users to choose permanent cookie preferences. This is in response to the constant stream of consent popups infected websites throughout the region.
European web users who are trying to digest this change in a monotonously unchanging regulatory story should be forgiven for their sense of dj vu and for asking themselves if they haven't been gaslit enough regarding cookie consent.

Oliver Dowden, the UK's digital minister, took aim at what he called an interminable parade of cookie popups. This suggests that the government may be looking to reduce consent requirements for web tracking. Ministers are examining how to deviate from European Union data protection standards post-Brexit. (He will present the whole of the government's data reform plans later in the month, so keep an eye out.

Elizabeth Denham, the UK's current information commissioner, spoke out today to ask her counterparts from G7 countries to get together to discuss the idea of web users being able to express their privacy preferences at the browser/app/device-level, instead of having to do so through pop-ups each time they visit a site.

Denham released a statement in which she announced an idea that she would present to fellow G7 privacy and data protection authorities this week. The idea was on how to improve the cookie consent mechanism, make web browsing more user-friendly and protect personal data. People are giving out more personal information than they want because of this fatigue.

Businesses and other organizations that run websites should not use the cookie mechanism. It is expensive and can result in poor user experience. My office encourages international collaboration in order to find practical solutions.

Nearly two billion websites exist that take into account privacy preferences around the world. This issue cannot be tackled by one country alone. This is why I'm calling on my G7 counterparts to harness their collective power. She added that we can all work together with standards organizations and technology companies to find a common approach to this problem.

When asked for further information on the idea, an ICO spokesperson rewrote the words as follows: Instead of trying change through almost 2 billion websites, the idea was that regulators and legislators could focus their attention on the browsers, apps, and devices users use to access the internet.

Instead of clicking through consent on a website's level, users can express their privacy preferences via browsers, software programs, and device settings. This allows them to update and set preferences at a time that suits them, rather than having to visit each site.

A browser-baked Do Not Track (DNT) signal isn't a new concept. This idea is more than a decade old. It could even be called the "idea that can't die" because it has never been truly alive, as previous attempts to embed user privacy preferences in browser settings were stopped by lack of industry support.

Denham's approach to lasting preferences may be different from DNT. She calls for other regulators to get involved with the tech industry and its standards organizations to come up with practical, business-friendly solutions to the cookie pop-up problem in the regional Internets.

This call may not result in a consensus that is practical or simply pro-industry. It is possible that something might be.

Today's press release could be just Denham trying raise her profile as she is about to leave the chair of information commissioners. (Never miss an opportunity to network internationally. Her counterparts from the USA, Canada, Japan France Germany, Germany, France and Italy are scheduled for a virtual chat today and tomorrow. She implies that she will try to engage them with her big ideas.

The UK is her replacement, however, has already been lined up. Unless Denham is able to jump into a similar role at another G7 data protection authority, anything Denham currently champions at the end her ICO chapter may be lost.

Denham is not the only one to pitch for a reconsideration of cookie consent mechanisms, even though he was the first to do so in recent years.

For example, a US-centric coalition of tech-publishers released a Global Privacy Standard (GPC), which aimed to create momentum for a browser level pro-privacy signal that will stop the sale personal data. It was geared towards California's Consumer Privacy Act (CCPA), but could also be useful for other Internet users.

They announced that 40M+ people were using a browser or extension which supports GPC in January. A number of major publishers also signed up to honor the initiative. It is fair to say that its global impact has been limited.

The European Privacy Group noyb has published a technical proposal to create a European-centric automated web browser-level signal. This would allow regional users to make advanced consent choices and enable the EU's more comprehensive (vs CCPA), legal framework for data protection.

Noyb co-authored the proposal with the Sustainable Computing Lab of the Vienna University of Economics and Business. It is called Advanced Data Protection Control (ADPC). Noyb called for the EU to create such a system, suggesting that there is still time for lawmakers to do so. This could be a sign of a window of opportunity.

There are some examples of how practical, more efficient and still pro-privacy consent mechanisms could look. Denhams remarks today don't reference any existing proposals or mechanisms.

(When we asked ICO for more information on her advocacy, its spokeswoman did not cite any technical proposals or implementations either historical or contemporaneous. She stated only that the G7 data protection authorities could have a significant impact on stimulating the development technological solutions to the cookie consent issue.

Denham's call to G7 seems a bit low on substance and high on noise.

In any event, the real elephant in the room is the absence of enforcement regarding cookie consent violations including by the ICO.

The question of how the UK will reform domestic laws in this area (post-Brexit), is another pressing concern, making Denhams timing seem opportune. It is difficult to understand the meaning of Denhams call as anything but opportunistically unclear at this point.

The UK's data protection reform will be closely watched by the adtech sector. They would be cheering loudly if the UK allows websites to use their personal data without Brits asking permission.

That would certainly be mission accomplished after all these years of cookie-fatigue-generating-cookie-consent-non-compliance by surveillance capitalisms industrial data complex.

Although it is not clear where the UK government will go, eyebrows should be raised by the ICO's statement today that it expects compliance to (current) UK law. This comes after it has repeatedly failed to address the adtech industry's role in cynically causing cookie fatigue by failing take any action against systemic breaches.

The glaring fact is that the ICO has avoided dealing with adtech data protection abuses for many years, despite publicly acknowledging that this sector is wildly out-of-control.

Instead, it chose to engage (read: appease) in a cringing manner that has left UK Internet users to suffer from cookie pop-up hell.

The regulator is being sued because it failed to act on a long-standing complaint about security abuses of people's data in real time bidding ad auctions without any evidence.

However, the ICO is not the only one to do so.

The EU regulators have failed to address systematic abuse of data protection rules in the bloc by the adtech industry. There are a lot of complaints, such as this one against IAB Europe's self-described transparency and consent framework, that still work, painstakingly through the many regulatory processes.

France's CNIL was probably the most active in this field last year, slapping and Google with $120M and $42M fines, respectively, for dropping tracking cookies without consent. (CNIL has not only taken on domestic adtech before you accuse it of being anti-American.

However, in Ireland, where many of the adtech companies are located, the lack of enforcement against this sector has allowed for cynical and manipulative consent pop-ups and/or meaningless consent to proliferate while investigations have failed and EU citizens have been forced into a consent experience that is now being (re)branded cookie fatigue.

Yes, even though the EU's General Data Protection Regulations (GDPR) came into effect in 2018 and bolstering (in theory) consent standards.

The privacy group noyb has filed scores of complaints about cookie consent violations to force EU regulators. It also finds the time to present a technical proposal that could reduce cookie fatigue and not undermine data protection standards.

This is a shining example that action has not been enough to get the EU's regulators to take action on cookies. The bottom line is that EU citizens still need to consent to cookies being used, even though there has been some high-level discussion about the need for action about these annoying pop-ups.

While GDPR increased legal risk on paper, it is still a paper tiger without proper enforcement. It is also very tedious to push around lots of paper.

The majority of cookie pop-ups in the EU are privacy theatre. They create friction for web users, who have to respond to nags for data (typically to try and deny access repeatedly if they can find a reject setting).

Even worse, many of these ubiquitous pop-ups actively undermine the law (as numerous studies have shown), because they do not comply with the legal standard for consent.

The cookie consent/fatigue story is actually one of fake compliance that's being enabled by an enforcement vacuum. This vacuum now encourages the weakening of privacy standards due to such unpunished flouting.

This is an important lesson.

Fake consent pop-ups are easy to find when you surf the ad-supported Internet Europe. They fail to give users clear information about how data will be used, or offer people the option to refuse tracking without being punished (such as no/limited access or giving them the impression that they must accept to access the content). You can also manipulate a person's choice by making it easy to accept tracking, but much more difficult to refuse.

Sometimes, you will still find cookie notices that do not offer any choice to users. They just pop up to inform them that they consent to their data being processed. This is unless the cookies are essential to the provision of the website. (Europe's highest court has made it clear that consent is required for non-essential cookie.

However, it is easy to mistake cookie consent notices for Europe's data protection law. It seems that it demands all these meaningless consent popups which only gloss over a background data grab.

These manipulative patterns should have been stopped years ago by regulators.

Regulator failure is leading to political posturing. The ICO is now doing a double-back! Regulative pushes around the notion that some newfangled mechanism will remove all of this inconvenient friction.

Noybs ADPC is a great idea to address the many operational problems that surround the EU's cookie consent rules. We are sceptical about the ICO offering a quick fix for the regulator that has failed so dramatically over the long-running complaints.

The notion of cookie fatigue seems to be suspiciously conjured up. It is used as a convenient scapegoat for consumer frustrations with hated online tracking towards high privacy standards and away commercial data-pipes. This aligns with UK government's post-Brexit data priorities.

Worse, the whole consent pantomime that the adtech sector has engaged in aggressively to maintain a privacy-hostile model in spite of enhanced European privacy laws could end in real tragedy for user rights if standards are cut to appease law mockers.

Regulators and politicians should be angry at the systemic law-breaking that has hampered privacy-respecting innovations and non-tracking business models, and made it more difficult for businesses that don't abuse peoples data to compete.

Regulators and governments should not try to undermine the principle of consent. It is now possible, at least in the UK.

GDPR sets high standards for consent and if they are enforced rigorously, could result in reform of highly problematic practices such as behavorial advertising mixed with the out of control scale of programmatic advertisement.

We should be seeing privacy-respecting advertising as the norm and not an option at random.

Publishers have been unable to take action against adtech breaches and instead, they are not being motivated to change bad practices or end the annoying consent charade that keeps pop-ups popping up, sometimes with long lists of data-sharing partners (i.e. If you actually click through the dark patterns, it will help you understand what this claimed choice is.

This is not only a waste of time for web users, but it also presents the possibility of politically charged regulators deciding all this friction justifies giving data mining giants carte blanche torch user rights if they intend to get the G7 to send a collection invite to the tech sector to come up with practical alternatives. All because authorities like ICO are too risk averse in protecting users rights.

Dowdens comments last month suggested that the UK government might be using cookie consent fatigue to cover up its inability to lower domestic data protection standards.

The ICOs statement of today does not suggest that it would prevent such a move.

The UK government is now outside the EU and has stated that it believes there is an opportunity to de-egulate domestic data protection. However, it could find it difficult to comply with EU standards.

Denham's call to G7 includes some EU countries (the largest economies in the bloc), but she is also targeting these countries to encourage regulators to reach out to other jurisdictions without a comprehensive data protection framework. If the UK attempts to lower its (EU-based), high domestic data protection standards, it will put downward pressure on international aspirations to this area, as a counterweight for the EU's geopolitical ambitions of driving global standards up.

This is because there is an increasing awareness of the importance and security of online privacy, data protection, and information security.

Any UK attempt to lower data protection could also put pressure on the EU's high standards in this area. The regional trajectory would not be up, but down. This could give support to EU lobbyists who argue that such standards are detrimental to the global competitiveness and sustainability of European businesses.

Cookies or cookie fatigue might seem like a small issue, but the stakes in this tug-of-war over people's rights to what happens to their personal information are extremely high.