Cookie banners, explained

Cookie banners are hitting the headlines, as policymakers and activists across political divides seek to take action on them once and for all. Recently, the UK’s Secretary of State for Digital proposed stripping back the UK’s privacy safeguards, using “endless” and “pointless” cookie banners as the cover story, from a Telegraph “exclusive” which payloaded over one thousand data harvesters onto the piece’s readers. And this week, the UK’s outgoing Information Commissioner has asked G7 nations to “join forces against cookie pop-ups”. Meanwhile, privacy advocate Max Schrems is waging war against “cookie consent terror”, and the Belgian Data Protection Authority may soon crackdown on “cookie consent spam”.

Nobody loves cookie banners — we certainly don’t — and it’s also true that they are hitting a record low in popularity. However, the way out is a matter of debate. Let’s look at two recent proposals that leave much to be desired.

What’s the matter with cookies?

Cookies are small bits of information stored on your web browser which allow a website to link your activities to your device. They provide much of the essential functionality behind most web sites, such as keeping you logged in and remembering what’s in your shopping cart. However, someone realised that cookies could also be used to track your activities online and target you with advertising. Enter the surveillance advertising industry, the scourge of the Internet.

When an adtech company stores cookies on your browser to track and profile your activities across the Internet, they process personal data. This also happens to be unnecessary and highly intrusive for our privacy. As such, per data protection law, they are not allowed to do this by default, and must ask for your permission first.

Adtech companies, however, took that basic concept and exploited it. First things first, they heavily lobbied to acquire consent via cookie banners rather than by other, consumer friendly means. Once the had it their way, they clogged the Internet with invasive cookie banners that you cannot ignore. Thanks to the deployment of dark patterns and deceptive user interfaces, it is often impossible to repel the exploitation of your privacy, either because there isn’t a “reject all” button or because your privacy has been obfuscated in a deliberate maze of options that defy logic, grammar, and human patience.

The Government’s proposal

As part of his vision for the UK’s post-Brexit privacy regime, Oliver Dowden proposes getting rid of consent notices for those websites which do not pose “a high risk to our privacy”. This suggestion must be understood in conjunction with the wider UK blueprint for data protection deregulation, where they plan to “place greater emphasis on the legitimacy of data processing”.

This proposal isn’t new. In the EU, the adtech lobby has long tried to undermine data protection laws and allow online tracking on the basis of legitimate interest — i.e., based on a company’s subjective assessment of why tracking you is in their own interest, rather than on the consent of the individual being tracked. This sleight of hand is how consent banners have reached new lows of double-opt ins, and often literally hundreds of manual opt-outs, for what may be your wish to read a single news article.

Aside from being controversial — and also very annoying — this form of consent is highly exploitative. Your online behaviour reveals highly intimate and sensitive information about you and the people around you. Its tracking and monitoring across the web, facilitated by the abuse of legitimate interest, puts you and the people around you at risk.

And yet, it is because of consent banners that we know about this exploitation of ourselves and of our data. Getting rid of consent banners without addressing the underlying abuses of legitimate interest, as well as other abuses of consent, is like getting rid of the batteries in the smoke alarm to stop the annoying beeping. We cannot get to grips with the systemic abuses of our privacy by simply hiding the evidence.

The Information Commissioner’s proposal

The outgoing Information Commissioner, the UK’s data protection regulator, is advancing a different proposal. In this model, you would be allowed to set universal privacy preferences through web browsers, software applications and device settings, rather than via cookie banners. If you have an Apple device, you have an example of how this system would work in practice: users can set their preferences with a simple yes or no option, and they can decide to deny consent to tracking on their iOS device once and for all.

Open Rights Group has long supported software settings designed to put us in control of our data, as opposed to cookie banners designed to put adtech companies in control of our choices. However, implementation is key, and there are a few reasons for concerns.

First of all, this solution will require new legislation, and that will not be easy. Adtech companies also mocked a similar device-wide protocol — the Do-Not-Track signal — by simply ignoring it. In order to be effective, device and software-level user preferences need to be legally binding and enforceable against third parties. Additionally, any regulation in this direction should be wary of loopholes, and prohibit websites from forcing users to consent — for instance, by blocking access to contents or limiting functionalities.

Finally, it is worth considering that, if Oliver Dowden had it its own way, this would neutralise legally binding signals. Suppose websites can track individuals based on legitimate interest, or another legal basis, that allows processing based on the assessment of the service provider rather than your approval. In this scenario, having a user-friendly way of communicating your preferences will be of little use. It follows that the Information Commissioner’s proposal needs be underpinned by a strict consent regime for data processing which is not technically necessary for the provision of online services.

The elephant in the room

In 2018, Open Rights Group lodged a complaint to the ICO against adtech practices. The ICO initially agreed with our findings, but then refused to take action and eventually buried our complaint. What’s worse, Government seems determined to enable the ICO’s hesitancy, and would introduce the statutory requirement to balance regulatory action against the adverse costs an offender would face.

Cookie banners are already illegal, and the ICO could already crackdown on them without the need to present a “new vision” or wait for new privacy legislation. On the other hand, watering down ICO enforcement powers would also undermine the effectiveness of legally binding signals, that need to be enforceable against adtech companies and other third parties.

A different outcome is possible, though. ORG is taking the ICO to court, demanding enforcement of the law. By putting an end to abusers today, we can pave the way for a better Internet tomorrow.