Big Ben in the evening showing UK ICO proposal for cookie popups

UK ICO Commissioner’s Plan To Address “Endless” Cookie Popups Resembles Browser “Do Not Track” Initiatives

The United Kingdom has announced that it plans to take a “balanced” and more business-friendly approach to the regulation of personalized ad tracking in the wake of Brexit. Under pressure to more clearly articulate exactly what that means for user privacy in the country, outgoing Information Commissioner Elizabeth Denham has suggested a shift in focus from individual cookie popups at each website to regulation of browsers and devices as the source of expressing user tracking preferences.

The announcement immediately called to mind the failed “Do Not Track” initiative that struggled to find footing throughout the 2010s, and at this point considered essentially dead due to general failure to commit by the big tech firms that matter. But while some new initiatives of this nature have developed over the past two years and even gained some substantial support, Denham’s plan does not reference any of them. Given the vague terms and the fact that the commissioner’s term of office is about to end on October 31, there are questions about whether this plan is being taken at all seriously by other decision-makers.

UK government decries “plague” of cookie popups amidst overtures to business

The UK has essentially committed to ending cookie popups with digital minister Oliver Dowden’s comments on post-Brexit privacy reforms in August. The administration has signaled a significant deviation from the terms of the General Data Protection Regulation (GDPR) that had been in place until the beginning of this year, citing unrealized revenues from advertising (in the tens of millions of pounds) as one of its motivations. The primary appeal to the general public thus far has been the end of individual cookie popups used to collect consent at each website, which can become obnoxious with frequent browsing.

Denham built on this new direction by suggesting that regulation should be focused on the chokepoints at the receiving end — the user’s web browsers, devices and applications. Though Denham did not name the “do not track” (DNT) concept, her comments about “lasting privacy preferences” strongly suggest it as a basic model.

Failure of Do Not Track effort

Introduced in 2009 by a team of security researchers, the DNT concept proposed a standard HTTP header field that essentially served as a “signal” broadcast to all websites from the user’s browser. If the user had opted out of tracking in the browser settings, that would be automatically communicated to any site that they visited.

The problem with the concept was that it hinged almost entirely on voluntary adoption, and no regulatory enforcement teeth ever coalesced behind it. Initially popular, it was first voluntarily adopted by Firefox and then by most of the other major web browsers. The United States Federal Trade Commission (FTC) also signaled support for it in 2010. However, with no legal mandates behind it, websites were not bound in any way to respect the standard. “Ad blocking” software and browser extensions quickly became a more popular (and effective) alternative.

The DNT effort has broadly been considered dead in recent years, with a World Wide Web Consortium working group that had been developing a standard formally disbanding in 2018 and a number of major browsers and platforms dropping their support for it since. The concept is not entirely out of the picture, however. The Global Privacy Standard (GPC) has recently been taken up by some elements of the tech industry, and it essentially functions the same way but with incorporation of the terms of major international data privacy laws like the GDPR and California’s Consumer Privacy Act (CCPA). Some big names in both tech and publishing see it as a way to more efficiently ensure compliance with various data protection regulations, and a potential workable replacement to endless cookie popups.

Cookie consent issue

Denham’s cookie popup proposal made no direct reference to any of these things, however, only containing a very general appeal to the G7 countries to develop “technological solutions to the cookie consent problem.” An appeal to working something out is likely to be met with little confidence while the Information Commissioner’s Office (ICO) is still resolving a 2018 lawsuit against it for failing to take action on the data collected without consent by real-time-bidding (RTB) auction networks.

While ICO may not have anything to offer in terms of concrete workable plans at present, the “cookie fatigue” phenomenon it references has become something of a real issue. Not just in the UK but in the EU as well, there is increasing frustration as internet users are nagged by a mandatory compliance notice at every website that employs some component of a personalized ad tracking network (which is nearly all of them, or at least all of the big ones). This has led to some users simply agreeing to cookie popups reflexively without reading terms or becoming aware that more granular privacy choices are available to maintain access to the site without giving access to personal data, and some studies have found that many of these notices do not even strictly comply with regulatory requirements.

Outgoing UK ICO commissioner suggests that #privacy regulation for #cookie consent should be focused on the chokepoints at the receiving end — the user's web browsers, devices and applications. #respectdataClick to Tweet

Denham presented her cookie popup replacement idea to the G7 on September 8, but given that she has less than two months in office there is no real indication that anything will come of it.