Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Cookie Consent Is the New Panic

Judging by the number of calls and the intensity of the discussions about how to comply with the cookie consent requirement in a post-GDPR world, this issue has become a top worry for organisations and data protection officers. Partly due to the visibility of the mechanisms used to collect this consent, and partly due to the potential implications of operating a website without cookies, the dilemma around what solution to deploy has become a serious business decision. Different business stakeholders are often at odds with each other and matters are getting escalated to decision makers who had never been involved in the technically complex and largely misunderstood world of cookies. The tension is rising and yet, no approach has emerged as the preferred one among all involved. So everyone is getting anxious to find a way to do what they have always done and comply with the law. Is this panic justified?

As it happens, the law that requires consent for the use of cookies and similar technologies has not even changed. Since 2009, the EU ePrivacy Directive (2002/58/EC) has been the reason for all those website banners and notices that somewhat annoyingly are telling us that by using a website we agree to the use of cookies. Ironically, the article in the ePrivacy Directive that creates this obligation does not even mention cookies. The requirement concerns the storing of information or the gaining of access to information already stored in someone’s terminal equipment. Website cookies are definitely caught, but so are many other bits of data that can be extracted from a device – whether this is a computer, a smartphone, a watch, a car, a pair of shoes or a toaster. As with so many other data protection obligations, the general rule is subject to some exceptions. In this case, there are two: one covering the mere transmission of a communication and the other, the necessary use of this practice to provide an internet service explicitly requested by the user of the device.

Over the years, the rule and its exceptions seem to have provided enough room for manoeuvre for the use of all types of cookies without much drama. At least regulators have largely tolerated the widespread use of cookie technologies for all kinds of purposes, as long as there was some visible notice on the screen explaining that cookies were being deployed and those who bothered about it could go deeper before proceeding. Enter the GDPR, and the climate change resembles the shrinking of the ice shelves: dangerously ignored, but more evident by the day. The generally accepted and often abused practice of ‘implied consent’ appears to be falling out of favour. Given the reinforced standards for valid consent under the GDPR – which are applicable to all consent requirements under the wider European privacy framework, including the existing ePrivacy Directive and the national implementing legislation – implying consent from simply using a website is certainly a risky strategy, so something else must be done to be in a position to demonstrate compliance.

The challenge is that the emerging alternatives do not seem very palatable. An increasingly popular ‘Plan B’ is to resort to the unappealing ‘cookie wall’ – a sort of electronic bulky bouncer blocking access to a website. Bypassing this barrier may only involve clicking on a digital button, but even that simple step is understandably regarded as unideal from a user experience perspective. However, the real drawback of this approach is that it may not even amount to free consent – at least that is the position of regulators who see ‘take it or leave it’ choices as directly in conflict with the new era of freely given consent. This is likely to become one of the fiercest legal battles under the GDPR, because on the one hand the affirmative action and the clear choice are certainly there, but on the other, that choice is not in the spirit of the consent nirvana sought by policy makers and regulators.

There is one thing that businesses and regulators are searching for: creativity. Businesses struggle to understand what they perceive as a nonsensical requirement, which limits their ability to use technology in ways that they see as beneficial for the users themselves. So the search for an innovative solution to this conundrum is becoming increasingly urgent. Regulators argue that they are not responsible for the problem and that it is for businesses to use their imagination and technological innovation to find a way forward. Some of that creativity should probably also be applied by legislators, who are in the middle of the process of adopting a new ePrivacy Regulation that is meant to inject some common sense and balance to the situation.

At this stage, what is clear is that there is no silver bullet. A degree of flexibility in assessing how necessary cookies are to the functioning of the internet is definitely needed. This means that uses of this technology in innocuous ways for people’s privacy should be accepted as part of our digital evolution. Uses of cookies for behavioural profiling need to be analysed in a wider context. Personalising a website to suit someone’s perceived interests is not the same as depriving internet users from content that has the potential to change someone’s life. For this reason, compliance with this rule needs to be adaptable to each case. Businesses, policy makers and regulators need to engage with each other, understand their respective points of view and be open to new ideas.

This article was first published in Data Protection Leader in June 2018.