“This website uses cookies. Please click here to accept.” We’ve all seen these sorts of pop-up messages, known as cookie banners, which appear whenever we visit a website we haven’t been to before.
Many of us find them intensely annoying, others simply click ‘agree’ without giving a second thought to what doing so means.
Cookie consent is now one of the most visible, and one of the most misunderstood, aspects of data protection law. If you spend any time browsing the internet, you’ll quickly find lots of different approaches. Some websites give you comprehensive choice on whether to accept cookies, others make it very easy to accept cookies but almost impossible to reject, and some have no information on cookies at all. What’s going on?
Despite these variations, the law is actually relatively simple. The widespread view that cookie banners are somehow all the fault of the EU’s General Data Protection Regulation is false. In fact, the most relevant legislation in the UK is the Privacy and Electronic Communications Regulations, or PECR for short.
To understand what the PECR says, we must first consider what cookies are intended to achieve. A cookie is simply a small text file created when you access a particular website. The information contained in this file can be used to recognise a user, to enable them to log in or access particular services, or provide functionality for the website, such as a shopping basket. These sorts of cookies are considered ‘strictly necessary’ for the website to function. And then there are other types of cookies which can be used to track your browsing habits or analyse your usage of the website. These may be very useful for the website and for advertisers, but they are not strictly necessary for the website to function.
For more than a decade, the PECR has required websites to tell users about their use of cookies and to obtain the prior consent of users before setting any cookies that are not strictly necessary. Consent in this context has the same meaning as in data protection law, so it must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. And yet, websites are still failing to meet this straightforward consent requirement. Many do not offer a genuine choice for users, or make it all but impossible to reject tracking cookies.
Part of the reason why the consent requirement is so often ignored is down to an almost complete lack of enforcement. The UK’s Information Commissioner’s Office has the power to issue fines and enforcement notices for failure to comply with the PECR requirements, but has shown a reluctance to use its powers in respect of cookie compliance. This can be contrasted with elsewhere in Europe, where in December 2021 the French regulator issued fines of €60 million and €150 million against internet giants Facebook and Google for their failure to obtain appropriate consent for their use of cookies. The French regulator was particularly critical of the companies for making it much more difficult to refuse cookies than to accept them.
We’re unlikely to see a change of approach from the UK’s new Information Commissioner, John Edwards. When appearing before a Parliamentary select committee he admitted that he simply clicks ‘yes’ when faced with cookie banners, “like everybody else”, and questioned whether they served any purpose. His view appears to be shared by the government, which has proposed changes to the PECR to allow websites to set non-essential cookies such as analytics without the need to obtain consent. But even this proposed change would not stretch to the most intrusive tracking cookies, for which prior consent will still be required.
So are cookie banners here to stay? In the short term, the answer is certainly yes. However, as technology changes then we may begin to see fewer of these pop-ups. Google has already announced that it will be phasing out the use of third party cookies on its Chrome browser by the end of next year, and there are signs that the online advertising industry is beginning to look towards alternatives to the use of intrusive tracking cookies. Of course, there remains a great deal of scepticism that alternative solutions will be any more privacy-friendly, but the era of third party tracking cookies may be coming to an end. Whether that’s good news or not depends on your point of view, but few will be sad to see the cookie banner consigned to the history books.
Published in Business Matters – 25 January 2022