Many of us find them intensely annoying, others simply click ‘agree’ without giving a second thought to what doing so means.
Cookie consent is now one of the most visible, and one of the most misunderstood, aspects of data protection law. If you spend any time browsing the internet, you’ll quickly find lots of different approaches. Some websites give you comprehensive choice on whether to accept cookies, others make it very easy to accept cookies but almost impossible to reject, and some have no information on cookies at all. What’s going on?
Despite these variations, the law is actually relatively simple. The widespread view that cookie banners are somehow all the fault of the EU’s General Data Protection Regulation is false. In fact, the most relevant legislation in the UK is the Privacy and Electronic Communications Regulations, or PECR for short.
To understand what the PECR says, we must first consider what cookies are intended to achieve. A cookie is simply a small text file created when you access a particular website. The information contained in this file can be used to recognise a user, to enable them to log in or access particular services, or provide functionality for the website, such as a shopping basket. These sorts of cookies are considered ‘strictly necessary’ for the website to function. And then there are other types of cookies which can be used to track your browsing habits or analyse your usage of the website. These may be very useful for the website and for advertisers, but they are not strictly necessary for the website to function.
We’re unlikely to see a change of approach from the UK’s new Information Commissioner, John Edwards. When appearing before a Parliamentary select committee he admitted that he simply clicks ‘yes’ when faced with cookie banners, “like everybody else”, and questioned whether they served any purpose. His view appears to be shared by the government, which has proposed changes to the PECR to allow websites to set non-essential cookies such as analytics without the need to obtain consent. But even this proposed change would not stretch to the most intrusive tracking cookies, for which prior consent will still be required.
So are cookie banners here to stay? In the short term, the answer is certainly yes. However, as technology changes then we may begin to see fewer of these pop-ups. Google has already announced that it will be phasing out the use of third party cookies on its Chrome browser by the end of next year, and there are signs that the online advertising industry is beginning to look towards alternatives to the use of intrusive tracking cookies. Of course, there remains a great deal of scepticism that alternative solutions will be any more privacy-friendly, but the era of third party tracking cookies may be coming to an end. Whether that’s good news or not depends on your point of view, but few will be sad to see the cookie banner consigned to the history books.