Matic Štojs Lomovšek - stock.a

ICO in bid to end cookie pop-ups

Outgoing information commissioner Elizabeth Denham will call on her equivalents across the G7 group of countries to collaborate on an overhaul of cookie consent pop-ups

The Information Commissioner’s Office (ICO) will today call on data protection and privacy authorities from across the G7 group of countries to collaborate on an overhaul of website cookie consent pop-ups, with the intent of “more meaningfully” protecting web user privacy, and enabling businesses to provide a better web browsing experience.

At a G7 meeting to be held across 7 and 8 September 2021, the outgoing information commissioner Elizabeth Denham will present new ideas on how to improve existing cookie consent mechanisms.

Thanks to their rise to ubiquity across the internet under current privacy regulations, cookie pop-ups have become a lighting rod for online discontent, and when confronted with one, many people are disinclined to click through various menus to make choices about their browsing experience, preferring instead to simply select “I agree” and get on with their day. Denham said this means they were essentially giving up control over their personal data.

“I often hear people say they are tired of having to engage with so many cookie pop-ups,” said Denham. “That fatigue is leading to people giving more personal data than they would like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge.”

The ICO’s “vision” for the future of cookies will enable users to set lasting privacy preferences of their own choosing, rather than having to make choices via pop-ups whenever they visit a website. The regulator believes this solution will ensure people’s privacy preferences are respected, and the amount of personal data they share is minimised, while at the same time improving the overall web experience, and making things easier for website owners too.

Read more about cookies and adtech

It said such a solution was already technologically possible, and would be compliant with data protection law, but wants the G7 authorities – Canada, France, Germany, Italy, Japan and the US – to club together to encourage and influence the tech sector to develop it and roll it out.

“The digital world brings international opportunities and challenges, but these are currently being addressed by a series of domestic solutions. We need to consider how the work of governments and regulators can be better knitted together, to keep people’s trust in data driven innovation,” said Denham.

The ICO’s proposals drew immediate criticism from Jim Killock of the Open Rights Group (ORG), an organisation devoted to digital privacy and freedom of speech.

“The simple fact is that most cookie banners are unlawful, and the data collection behind them is, as her [Denham’s] own report states, also unlawful,” said Killock. “If the ICO wants to sort out cookie banners then it should follow its own conclusions and enforce the law.

“We have waited for over two years now for the ICO to deal with this, and now they are asking the G7 to do their job for them. That is simply outrageous.”

“Unlawful” practices

The ORG is calling for automated signals to ask not to be tracked, but Killock said the group does not see this as a replacement for halting the “unlawful” practices of online adtech providers.

ESET’s Jake Moore said: “Dealing with cookie choices on every single website has led people to look for the easiest way to bypass them, which is often by giving away more personal data that the user may have wanted to offer. Such information is used, stored, shared and profited from by these companies; many people are still not able to take this intrusion seriously due to how difficult some sites make it for their users to choose how their data is captured.

“Whilst the G7 looks into orchestrating a worldwide approach to safely choosing what data sites can and can’t see, there are other ways in which users can protect their data and anonymise any tracking online. To reduce sensitive data being abused, private browsing is available and using a VPN will limit the extent to which sites can track and profile you as a web user.”

The G7 meeting, which will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF) is aligned with a wider G7 initiative, dubbed Data Free Flow with Trust. At the two-day session, each G7 data protection authority will present a specific tech or innovation issue on which they would like to see closer cooperation across the group.

Read more on Privacy and data protection

Data Center
Data Management