ICO proposes unspecified mechanism to overhaul endless cookie banners

Denham will propose a mechanism that would allow people to set lasting data privacy preferences within their browsers, apps and device settings, rather than having to manage pop-up cookie banners for every website they visit.

“I often hear people say how tired they are of having to engage with so many cookie pop-ups,” said Denham. “That fatigue is leading to people giving more personal data than they would like. The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience.

“While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.”

She will raise the issue during a virtual meeting with leaders from the US, France, Germany, Canada, Japan, Italy, the OECD and WEF. Each representative will suggest a technology or innovation issue on which they believe closer international cooperation is required.

Denham has indicated that a smoother mechanism for consent is already technologically possible and compliant with data protection regulations. No further detail was given on the mechanism, which was simply described as “an idea on how to improve the current cookie consent mechanism, making web browsing smoother and more business friendly while better protecting personal data”.

She said: “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together, we can engage with technology firms and standards organisations to develop a co-ordinated approach to this challenge.”

Cookie pop-ups are used to secure consent to data collection and storage, as required under GDPR. Denham is among those to argue that the repetitive process of declining or accepting should be replaced by a less draining alternative.

A proposed HTTP header field, 'Do Not Track' – which allowed users to opt out of tracking by websites – was supported by several browsers after it was proposed in 2009, although it was not standardised or legally mandated and it did not receive significant industry support or uptake.

Last year, a coalition of US-based internet companies presented a new Global Privacy Control header in accordance with GDPR and the California Consumer Privacy Act, although this has also seen only limited support.

The Information Commissioner’s Office has not responded to media requests for more specific detail on the proposed mechanism.

According to research, the vast majority of cookie pop-ups undermine GDPR and do not meet the legal standards for consent. They often make the process of securing data privacy tedious or unappealing, using “dark patterns”. Privacy campaigners and researchers have argued that data regulators should primarily focus their efforts on stamping out these practices.

The digital secretary Oliver Dowden commented that post-Brexit data privacy reforms would be focused on “common sense, not box ticking” and has specifically criticised the “endless” barrage of cookie pop-ups. Although no specific policies have yet been announced, Dowden himself has indicated preference for as “light a touch” as possible with regards to data regulation without watering down of data protections.