Judging by the number of calls and the intensity of the discussions about how to comply with the cookie consent requirement in a post-GDPR world, this issue has become a top worry for organisations and data protection officers. Partly due to the visibility of the mechanisms used to collect this consent, and partly due to the potential implications of operating a website without cookies, the dilemma around what solution to deploy has become a serious business decision. Different business stakeholders are often at odds with each other and matters are getting escalated to decision makers who had never been involved in the technically complex and largely misunderstood world of cookies. The tension is rising and yet, no approach has emerged as the preferred one among all involved. So everyone is getting anxious to find a way to do what they have always done and comply with the law. Is this panic justified?
Over the years, the rule and its exceptions seem to have provided enough room for manoeuvre for the use of all types of cookies without much drama. At least regulators have largely tolerated the widespread use of cookie technologies for all kinds of purposes, as long as there was some visible notice on the screen explaining that cookies were being deployed and those who bothered about it could go deeper before proceeding. Enter the GDPR, and the climate change resembles the shrinking of the ice shelves: dangerously ignored, but more evident by the day. The generally accepted and often abused practice of ‘implied consent’ appears to be falling out of favour. Given the reinforced standards for valid consent under the GDPR – which are applicable to all consent requirements under the wider European privacy framework, including the existing ePrivacy Directive and the national implementing legislation – implying consent from simply using a website is certainly a risky strategy, so something else must be done to be in a position to demonstrate compliance.
The challenge is that the emerging alternatives do not seem very palatable. An increasingly popular ‘Plan B’ is to resort to the unappealing ‘cookie wall’ – a sort of electronic bulky bouncer blocking access to a website. Bypassing this barrier may only involve clicking on a digital button, but even that simple step is understandably regarded as unideal from a user experience perspective. However, the real drawback of this approach is that it may not even amount to free consent – at least that is the position of regulators who see ‘take it or leave it’ choices as directly in conflict with the new era of freely given consent. This is likely to become one of the fiercest legal battles under the GDPR, because on the one hand the affirmative action and the clear choice are certainly there, but on the other, that choice is not in the spirit of the consent nirvana sought by policy makers and regulators.
There is one thing that businesses and regulators are searching for: creativity. Businesses struggle to understand what they perceive as a nonsensical requirement, which limits their ability to use technology in ways that they see as beneficial for the users themselves. So the search for an innovative solution to this conundrum is becoming increasingly urgent. Regulators argue that they are not responsible for the problem and that it is for businesses to use their imagination and technological innovation to find a way forward. Some of that creativity should probably also be applied by legislators, who are in the middle of the process of adopting a new ePrivacy Regulation that is meant to inject some common sense and balance to the situation.
At this stage, what is clear is that there is no silver bullet. A degree of flexibility in assessing how necessary cookies are to the functioning of the internet is definitely needed. This means that uses of this technology in innocuous ways for people’s privacy should be accepted as part of our digital evolution. Uses of cookies for behavioural profiling need to be analysed in a wider context. Personalising a website to suit someone’s perceived interests is not the same as depriving internet users from content that has the potential to change someone’s life. For this reason, compliance with this rule needs to be adaptable to each case. Businesses, policy makers and regulators need to engage with each other, understand their respective points of view and be open to new ideas.
This article was first published in Data Protection Leader in June 2018.