Tech firms need to help fix the web's cookie chaos, says data privacy chief

But critics argue the UK's data protection watchdog should just enforce the law itself.
Written by Liam Tung, Contributing Writer

The UK's privacy watchdog has called on its G7 peers to do something about website cookie consent pop-ups that became unavoidable after the EU's General Data Protection Regulation came into force.   

The UK's Information Commissioner Elizabeth Denham is raising the cookie consent issue at a meeting with G7 authorities today and plans to present a "vision for the future" where browser users can more meaningfully consent to cookies than current methods. 

The Information Commissioner's Office (ICO) wants G7 members to pressure tech giants to create browsers, software applications and device settings that "allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website." 

See also: The Privacy Paradox: How can businesses use personal data while also protecting user privacy?

It argued that many people just click "I agree" to the pop-ups to quickly access the content they want to view. But by people doing so, the ICO argues it means they don't have meaningful control over their personal data.   

"There are nearly two billion websites out there taking account of the world's privacy preferences. No single country can tackle this issue alone," said Denham in a statement

"That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge."

The G7 includes the UK, USA, Canada, Japan, Germany, France, Italy, and the EU. This year, the UK presides over the G7 alliance. 

Many people think cookie consent forms are annoying and research has shown the consent forms aren't giving consumers a meaningful choice. 

A 2020 study found that most cookie consent forms don't comply with Europe's GDPR rules. The researchers also pointed out European data protection authorities (DPA) aren't enforcing compliance.

Most websites use third-party consent-management platforms (CMPs) to comply with cookie consent rules. Many of these services sidestep GDPR and eDirective requirements for consent to be explicit and instead include implicit consent. 

Some EU DPAs have taken action to enforce EU cookie consent rules. In December, France's data privacy watchdog CNIL fined Google and Amazon €100 million and €35 million, in relation to the use of cookies on website visitors' devices. 

Privacy rights group Privacy International highlighted why CNIL's decision to fine Google was valid: "As the CNIL rightly held, the fact that the user was left with no option but to scroll down a pop-up window, get past five other irrelevant links, to finally be able to click on a link to a cryptically-named "Other Options" banner was not clear enough."

See also: The CIO's new challenge: Making the case for the next big thing

But the UK-based Open Rights Group slammed the ICO's appeal to G7 nations to tackle cookie pop-ups and said instead the ICO itself should take action. 

It called on the ICO to follow its own conclusions and enforce the law.

"We have waited for over two years now for the ICO to deal with this, and now they are asking the G7 to do their job for them," it said.    

But the ICO thinks its appeal to fellow G7 privacy watchdogs will make a difference. "The ICO believes the G7 authorities could have a major impact in encouraging technology firms and standards organisations to further develop and roll out privacy-oriented solutions to this issue," it said. 

Editorial standards