Ever since the EU’s General Data Protection Regulation (GDPR) came into being in May 2018, organizations around the globe have grappled with its correct implementation. So much so, nobody is offering “GDPR compliancy” certification. That says a lot in of itself. One of the most prominent changes that any internet user could not have failed to notice is the explosion in cookie walls and banners. Your experience is typically worse on a mobile device where screen real estate means that some banners take the whole screen.
To give this some context, the underlying reason for this is the requirement to gain consent for their use. You’ll be very aware that lawful, valid consent must be a freely given, positive action and as easily withdrawn as it was given. This is straightforward when dealing with activities such as marketing communication in which you either want to receive something or you don’t, but internet pages present a different challenge to web developers. The consent can’t be attributed to the individual user (since it’s unlikely the site will know who that individual is) so it needs to be time driven, either length of the session or X number of days/weeks/months. Websites have implemented this control with varying degrees of success, ranging all the way from completely unlawful right through to textbook examples. The differences we see are born out of differing interpretations and implementation views. Given that no consent cannot constitute refusal of product or service, those that deny access to the site unless you accept cookies you are either not understanding what consent is, or find it too difficult to manage denial of cookies, neither of which are acceptable defenses.
A great many organizations, especially those based outside of the EU, took a somewhat blanket approach and hence we’ve ended up with all of these banners and walls whereas, in reality, all that’s needed on the front end is a small form factor banner asking which cookies you’d like to accept, whether that be all, necessary only or a personal selection from the choice. Of course, back-end configuration is where most developers will see the challenge. If you’ve historically set everything up on the assumption the cookie is accepted, then suddenly having to make changes for those that do not could quite plausibly take considerable time and effort. If you employ third party tracking tools such as Google Analytics, additional complexities may have to be overcome also.
It is this tirade of cookie management intrusion that has led to constant consumer’s frustration and, ultimately, the UK government to re-think national data privacy strategy.
"Will the removal of cookies and the dilution of the consent processing principle be one step too far?"
UK Digital Secretary, Oliver Dowden, has the primary objective of ridding the UK of these cookie annoyances and has the new Information Commissioner, John Edwards, acting as mission lead. Now, I think everybody would agree that his intentions are good, but the question of impact and risk needs to be addressed.
In June 2021, the UK was awarded adequacy by the EU and it is of paramount importance that this remains in place if we wish to continue the transferring of data to the mainland without the complications of implementing additional measures such as standard contractual clauses (SCC), etc. In order to retain that, exactly how far can the UK drift from the EU GDPR framework? If we look at the national legislation of the current adequacy list, it might be suggested that some degree of derogation would be permitted, but they all strive to achieve the same end goals and ideals. Will the removal of cookies and the dilution of the consent processing principle be one step too far?
The UK is preparing its own version of SCC’s and its own list of adequate countries to accompany the legal reform. Are we perhaps isolating ourselves too much? The proposed list of UK adequate countries already conflicts with that of the EU, and their reaction to the fact is unknown. Locations such as the USA, Colombia and Korea will trigger closer scrutiny from our EU colleagues. Will the choice of adequate countries cast a shadow over the UK’s data privacy strength if it chooses to include countries on its adequate list which the EU does not deem to be so?
As you can see, there are two distinct schools of thought on this topic. Is this ‘the tail wagging the dog’ where legislative changes are being used to resolve an existing law implementation issue? Will it indeed resolve the issue? Maybe it’s more prudent to invest the time and monetary efforts to educate data privacy practitioners, web developers and other stakeholders on doing things better. Having that small banner asking about cookie selection and enabling browser tags to remember your choice for 12 months is perfectly acceptable and compliant. It’s easy enough to remove your cookies and reset your preferences. If this practice was widely adopted, then it is fair to say that government intervention in the law may not be necessary after all.