Is cookie consent going to change in the UK?

Open Rights Group convened a stakeholder roundtable on the future of adtech and cookie consent requirements in the UK following the Information Commissioner’s Office (ICO) consultation on a new enforcement approach toward regulating advertising.

The ICO’s aim of unlocking “privacy-preserving alternatives to the dominant adtech business model” is positive but the risks from relaxing online tracking rules are high. If not done right, exempting cookies from consent requirements risks exposing Internet users to online harms, harmful advertising, and predatory targeting based on people’s addictions, vulnerabilities and state of anxiety.

Officials from relevant government departments and regulatory authorities joined up to discuss these plans with experts from civil society and the industry active in the field of privacy, consumer and children rights, advertising standards, and privacy-preserving tools.

Below is a summary of the discussion, which was held under Chatham House rules.

Online tracking: an offer we can’t refuse

When you visit a website, chances are that you will be asked to “accept cookies”. These are small pieces of information which, once stored in your computer, will allow the next website you visit to know that you were the same person. Also known as behavioural profiling, this technology powers modern online advertising: by keeping tabs of everything you read and watch online, online trackers will make an educated guess about who you are and what you’re interested in, then sell this information to thousands of other intermediaries and data brokers. Finally, advertisers use this information to decide if and how much to “bid” on your next visit to a website to show you their commercials.

This system, known as “real-time-bidding”, turned out to be a privacy nightmare, where your browsing habits are shared and traded within the online advertising ecosystem for the purpose of exploiting your political opinions, health status, sexual preferences, addictions, and vulnerabilities. To mention a few examples, behavioural targeting and profiling has been used to harass and put women who had an abortion under surveillance; to exclude women and BAME individuals from job and housing adverts; to target problem gamblers with gambling ads; to target mothers who just had stillbirth with baby ads, or to plain creep people out. It is also the system that powers the toxic Internet made of rage factories, radicalising content and filter bubbles: emotionally triggering content drives your engagement, which can then be tracked and sold as behavioural advertising, fuelling a vicious but profitable cycle.

Because of the high risks involved, UK data protection law requires you to consent before advertising cookies can be stored on your device and used to let advertisers track your behaviour across the Internet. Unfortunately, the ICO and other regulatory authorities’ tolerance toward non-compliance has denied us this right in practice, allowing the adtech industry to spam us with thousands of illegal cookie banners and turn online tracking into an offer we cannot refuse.

Exemption without enforcement won’t work

The ICO has launched a consultation on a “new approach” to regulating online advertising, with a focus on cookie consent rules. In their view, exempting less-invasive forms of online tracking from consent requirements would favour their commercial competitiveness against the dominant model of behavioural profiling and real-time-bidding. Participants discussed two main weaknesses with this proposal.

Firstly, the ICO’s failure to enforce consent rules puts advertising systems that do not track individuals at a disadvantage exempting a privacy-preserving advertising company from consent rules is hardly advantageous There is no incentive for privacy-preserving advertising if regulators are not punishing adtech providers who ignore or force us to consent to behavioural tracking via cookie banners, consent-or-pay requests or other forms of digital coercion. Advertising systems that do not track individuals already exist and operate. But the failure to enforce consent rules puts them at a disadvantage.

Secondly, consent rules are not the most important barrier to the emergence and profitability of privacy-preserving advertising technologies. Selling advertisements without personal data is often blocked by intermediaries who hold gatekeeping power within the real-time-bidding ecosystem, and who do not allow these offers to be traded as a matter of commercial policy. Whereas regulatory intervention would have the potential to push for behavioural change and lower these barriers, the sole focus of the ICO’s call for views on deregulating consent requirements does not leave space to address this issue.

The roundtable participants were skeptical about relaxing cookie consent requirements as a leverage to drive behavioural change within the industry. Rather, participants stressed the need for more effective and dissuasive action by the ICO to remove illegal advertising, enforce data protection standards within the adtech industry, and protect law-abiding market players from the unfair competition of adtech companies who violate our privacy.

Corporate capture at the ICO

The ICO says they “will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation”. However, participants lamented that the call for views lacks detail over what technologies may be exempted from consent rules. In turn, individuals, independent experts and public interest groups were not given the opportunity to provide feedback about these plans and the risks these exemptions may create, nor to identify legal safeguards to mitigate such risks. Further, the call for views was designed to take into account the views of the adtech industry, thus increasing the likelihood of bias and over-representation of commercial interests over the rights of UK Internet users

These concerns should be seen within a broader context of corporate capture. A senior director of regulatory affairs at Google has been appointed to become Executive Director at the ICO. In the meanwhile, the ICO regulatory sandbox has been hosting Meta’s effort to develop a supposedly “privacy enhancing” system to track attribution of online advertisement. Finally, and as our investigation into LiveRamp shows, the adtech industry is not responding well to the ICO’s polite invitations to reform themselves, but are instead building even more invasive forms of online tracking which are then marketed as “privacy-preserving”. Indeed, Liveramp themselves claim to “have been working with the UK ICO for the last 2.5 years” as part of their “ongoing engagement with regulators to ensure LiveRamp delivers privacy-centric solutions”.

The adtech industry has shown hostility toward innovation and change, and has a long track record of ignoring if not abusing legal requirements to promote their own commercial interests. Yet their views are being given a prominent weight here.

ORG’s recommendations

1. The ICO should publish its findings from this consultation as a draft, and run a second round of consultations. This would allow all stakeholders to give feedback on concrete proposals rather than stated intentions, such as commenting on the wording of these exemptions and the provision or lack of appropriate legal safeguards.

2. The ICO should honour their commitment to never exempt any form of advertising that uses personal data to track individuals’ behaviour from consent requirements. We also recommend that the ICO narrowly defines any exemption to cookie consent rules, and provides suitable safeguards against misuse. These should, at a bare minimum, include an explicit prohibition against re-using personal data beyond the purpose the exemption is meant to enable.

3. The ICO must step up enforcement against traditional forms of online tracking and profiling. The adtech industry has proven over and over again to be hostile toward innovation, and unwilling to change their behaviour. Giving a carrot to law-abiding businesses will not cut through unless the ICO is ready to use their stick and remove illegal advertising from the market and punish those who violate the privacy of Internet users.