Why have cookies become such a muddle?

October 2021

What are the challenges and what next for cookie compliance

Some history

It is 10 years since the original EU Directive was adopted which gave individuals the right to refuse the use cookies that reduced their online privacy.

Back then, people talked a lot about “implied consent” which meant that gaining consent from individuals didn’t seem so hard. Pre-ticked boxes were everywhere. 

Roll on 10 years and two major changes have occurred:

1. The explosion of programmatic advertising which makes heavy use of third-party cookies to segment and target individuals.

2. The introduction of GDPR which strengthened the level of consent required to use cookies. This must be freely given – no more pre-ticked boxes!

The ICO “cookie” guidance

To support the introduction of GDPR level consent, the ICO published its “cookie” guidance in 2019. In this context, “cookies” is short for cookies and similar technologies.

In this guidance it was made clear unambiguous consent was required for all cookies except essential cookies (i.e. the ones that make your site work properly). 

To be clear, this meant tools such as Google Analytics required consent to process an individual’s data.

Rather unhelpfully, at a macro level, the rather benign anonymised Google Analytics data was bundled together with the rather less benign collection of data carried out by the large Ad Tech providers to target advertising. 

For those wanting to use anonymised analytics data there was a caveat in the guidance which stated: 

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. 

For example, the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action. 

I’ve had a few conversations with clients about whether data processed by Google Analytics is first- or third-party data. I’m inclined to say it’s the former. It’s not used for anything else by Google and they clearly indicate they are a data processor in this capacity. 

In addition, the ICO guidance, made clear that inviting users to set cookie preferences in their browser was not considered adequate. 

To put it mildly, businesses were surprised by the hard-line approach taken by the ICO. It wasn’t as if the ICO were slavishly following their EU counterparts – some of the ICO guidance was stronger!

The business response

The upshot was a large swathe of websites became non-compliant overnight, and two years later you will still find a range of approaches to presenting cookie consent. There are four main types:

1. Do nothing: A site has no cookie notice or preference centre at all – increasingly rare but still occurring and clearly non-compliant.

2. Simple cookie notice: A cookie notice plus guidance to setting cookie preferences in the users’ browser. Deemed not compliant by ICO but still used by many.

3. Accept all cookie notice: A cookie notice delivered by a tech provider which sets out the different categories and encourages users to accept or manage their preferences.

4. Accept or Reject cookie notice: A detailed cookie notice, usually provided by a tech provider which sets out the different categories and encourages users to accept, reject or manage their preferences.

There are other permutations – some websites have pre-ticked boxes in the manage preferences section, some websites set cookies before the preferences have been set, the list goes on.  

In short, it’s a muddle and it seems businesses have largely taken a risk-based approach to decide how far to go.

This is obviously dependent on the importance of cookies to each organisation. It’s noticeable that some online retailers have taken quite a flexible view whilst others in highly regulated sectors are tending to be much stricter. 

Are consumers complaining about it? 

From a consumer’s perspective, their main gripe is that they see a wall of cookie notices which they largely ignore in order to get to the website.

However well-meant, the cookie rules have not served their purpose. No one appears to read them. 

There is a further less obvious problem – consumers don’t really understand what they’re signing up for.

There has been plenty of discussion about third-party cookies and how data is widely used for targeting advertising in a non-compliant manner. To date, very little has been done to address those concerns despite the ICO’s ongoing investigation into AdTech. 

Furthermore, if we look at the ICO log of cookie complaints, it remains pretty low at around 450 per quarter in 2021 although it’s increased from around 300 per quarter in 2019. 

Will ePrivacy make any difference? 

It is possible the ePrivacy regulation will soon come into force as negotiations are creeping towards a conclusion. There are a couple of points in this regulation that would certainly help clear the cookie muddle:

1. Allowing for other paths to consent via whitelists in browsers.

2. Allowing limited analytics.

However, as UK is no longer part of EU it’s not necessarily the case that we’ll adopt the new regulation. Having said that, we’ll need to create something to update the very old PECR regulation. The pragmatists amongst us might be minded to adopt ePrivacy when it’s approved. 

What about Elizabeth Denham’s intervention with G7?

In September, Elizabeth Denham attended the G7 summit to call on countries to work together to tackle cookie pop-ups.

In particular, she wanted to have a coordinated approach to enforcement to ensure nefarious activities didn’t go unchecked. 

It’s not entirely clear what she was seeking to achieve. After all, the ICO has come in for quite a lot of criticism not least because GDPR/PECR already provides the necessary legislation for enforcement action but, so far, no-one has been fined. 

And now, the Government reform proposals?

DCMS also highlighted the cookie issues with their data reform proposals highlighting two options:

  • Permitting organisations to use analytics cookies and similar technologies without the user’s consent. In other words, treating them in the same way as ‘strictly necessary’ cookies. It’s worth noting that this proposal is included in the most recent EU ePrivacy draft. (It’s accepted further safeguards would be required to ensure this had a negligible impact on user privacy and any risk of harm. It would also not absolve organisations from providing clear and comprehensive information about cookies and similar technologies).

or

  • Permitting organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes. An example given is that this could include processing necessary for the legitimate interests of controllers where the impact on privacy is likely to be minimal.

What does this all mean?

  • Sooner or later, something will happen although it’s not entirely clear who will make the first move – ePrivacy or UK government reforms seem the likeliest. 
  • The ePrivacy Regulation will eventually be approved and would address some of the muddle. It would make sense, but its adoption in the UK may become a largely political decision. 
  • In the meantime, it seems that users consider cookies a nuisance rather than really causing any harm.
  • Arguably the main cookie culprits are those using cookies for “nefarious” activities and are collecting third-party data. With Google stopping support for third-party cookies in 2023, this problem effectively goes away.
  • Businesses could help themselves. Many set cookies every time you visit a website. There is no rule to say that it’s required every visit and the barrage would be diminished if a sensible time frame was agreed. 
  • There is silence from the ICO when it comes to enforcement. Now that Covid is becoming less of an issue perhaps a few fines might make people comply?