Is GDPR recharging cookie notice popups?
Will soon all websites greet users with interrupting and blocking pop-ups requiring to read a consent form and click “I agree” - prior to allowing the actual using of a website? Will we all be expected click in tons? Let’s look at the worst scenario, and how we may be arriving there.
European regulations mandate that most sites need to inform their users if user data is processed. In most commonly understood and practical terms this means that websites need to seek consent prior to setting browser cookies. This requirement is de facto universal in European Union and allows “doing something” about consent for data processing.
The effectiveness of consent is increasingly limited, as demonstrated by affairs such as Cambridge Analytica. But at the same time, there is still an understanding that a form of awareness and consent frameworks needs to exist, even understanding the practical limitations of consent. Some “regulatory” tools still need to exist (“compliance”), and so far one of these tools is consent. But from a user perspective, as limited consent is as an effective tool, it’s best to design systems well. Think in terms “what is sane”, rather than “what can we achieve by simply showing the users a consent box”.
I previously analyzed the case of GDPR consent here. Recently, the Working Party 29 (the body providing guidance on GDPR interpretation) released a final guidance. My analysis stands.
Cookie notice popups - recharged?
However, WP29 reaffirmed one important statement:
“Controllers should design consent mechanisms in ways that are clear to data subjects. Controllers must avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions. Therefore, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation.”
Until recently it was often regarded that a simple display of cookie notice, followed by the user's web browsing means (implied) consent.
But the outcome of these three quoted sentences above is that consent most likely cannot be treated as “implied”, merely on the basis of continued web browsing.
How did we get here?
Universal cookie popups are widely seen as ineffective, interrupting and annoying. This is why the European Union wanted to relax these matters with a new ePrivacy Regulation (read more here: 1, 2, 3). The original aim was to adopt it on the same day as GDPR - 25 May. This won’t happen, and the adoption date is not even clear.
So, soon data privacy rules on the web will be governed by the old ePrivacy Directive and GDPR at the same time, with GDPR having the precedence. GDPR is consent specific, so it is not surprising that Working Party 29 says that there is no way “implied consent” can get you compliant for sure.
But the end result in the medium term may be websites blocking the browsing until consent is read and accepted.
How to fix this mess
Two simple steps.
Consent design
Running a website? Design smart consent mechanisms. Most of the issues with consent notice are due to the fact that not much thinking went into that. So instead of thinking “we need to do something, and there is a JavaScript library that pop-ups a box” go with: “let’s think how to make it work?”. This will pay off in the long term and improve the general Web ecosystem.
Finalize ePrivacy
ePrivacy will be the specialized regulation, complementing the GDPR. It puts a big effort on consent, and the recent version of the draft endorsed by the European Parliament is supporting the mechanisms of consent management (“Tracking Preferences Expression”). This would greatly simplify consent, as then web browsers could simply show users standardized information.
But finalization of ePrivacy won’t happen soon. Why? There will still be a lot of discussions, for example, because Council of European Union appears to be on a collision course with European Parliament by pursuing other avenues, such as: removing end-to-end encryption, removed web browsers as the gatekeepers guarding security and privacy of users, introducing advertising cookies as sometimes legitimate, and reaffirming the use of user data in political PR during campaigns (let's admit that the timing for both of these - is eccentric). You can find the recent progress here
Web browsers - deploy TPE
Web browsers should be considering the deployment of the latest Tracking Preferences Expression specification, and in a way that will be supporting the existing and future requirements of GDPR and ePrivacy (admittedly difficult now). It seems that the only browser somewhat supporting the modern mechanisms is Microsoft Edge.