EU scheme to kill cookie consent still has doubters

The cookie pop-ups that relentlessly pester us for our consent are maddening interruptions that sour our online experience. But these wearisome warnings over tracking activity might finally be consigned to the trash can of browsing history after the European Commission announced its shake-up of personal data rules. At least if EU decision makers and tech industry groups can sort out their differences over the new proposals.

The plans were unveiled on January 10 as part of a wider overhaul of digital single market rules. Under the proposal, users would be able to set general preferences instead of giving consent to cookies and other device fingerprinting technologies on every website they visit. The Commission said the scheme, which would also remove banners for non-intrusive cookies, would help to tackle an “overload” of such requests to allow a site to remember user activity. “This way, people will be more in control of their settings,” said Commission Vice-President Andrus Ansip, who runs the Digital Economy and Society portfolio.

The 2009 e-Privacy Directive, or ‘Cookie Directive’ said websites had to include warnings telling users that cookies were being placed on their machine. These small tracking files that remember passwords and preload websites for faster browsing were seen as potentially dangerous at the time.

In the five years since the Directive actually came into force, users around the world have clicked billions of times on the popup banners that provide disclaimers on cookie policies, but with little to show any improvement in their privacy. It became a symbol of well-intentioned but ineffectual gesture regulation. In the overhaul, the Commission now effectively recognises that the popup was a waste of time.

The new proposal is now upgraded into the e-Privacy Regulation (and repeals the original 2002 Directive 2002/58/EC that the 2009 e-Privacy Directive modifies). It requires companies to get explicit consent from a user before being allowed to track their online activities. Users would set their consent on cookies through “software applications enabling accessing to the internet”, which could apply to both browsers and mobile apps. The overhaul that would exempt innocuous cookies like visitor counters, but most third-party trackers to the list of cookies that must be disclosed.

The proposal comes less than a year after the EU introduced the Privacy Shield, which also set rules for tech companies on data protection and privacy. It covers others areas, including tougher rules on how messaging services, such as WhatsApp, Skype, Gmail and Viber, track users.

It strengthens protections elsewhere, such as limiting cookie data storage to six months, requiring explicit consent for electronic marketing and accessing user metadata, and banning spam. And it says email services, such as Gmail and Hotmail, would not be able to scan emails to serve targeted ads without users’ explicit permission. The maximum penalties for companies that fail to comply would be a fine of up to €20 million, or 4% of annual global turnover, whichever is the highest.

The benefits for end users are obvious: it gives them more control over how they are being tracked, and cuts down the annoying pop-ups.

But it’s not so clear for the industry: internet companies, telecommunications giants and advertisers have all voiced their concerns.

If users opt against allowing all but the least intrusive cookies, services like Facebook and Google could see their revenues affected by the shift, as targeted ads are a significant portion of their web income. The proposals mean that publishers, brands and anyone collecting or analysing data for advertising will have a few more hoops to jump through to gain consent. And even if they comply, it could still lead to more consumers blocking access to targeted third-party advertising.

CCIA, an industry group representing top tech firms like Google and Microsoft; EurolSPA, representing Europe’s biggest Internet service providers; and Digital Europe, which represents the European tech sector have also warned that the proposal could bring incoherence and confusion with the General Data Protection Regulation (GDPR), which the Commission wants to come into effect at the same time as the ePrivacy regulation, in May 2018.

The Interactive Advertising Bureau, which lobbies for the €160 billion global online ad industry, says its viability is under threat: IAB UK policy chief Yves Schwarzbart warned that the measures, “could put at risk the entire internet as we know it.”

Telecom companies have complained that they are still being “singled out” as the new proposal imposes a heavier compliance burden on them than over-the-top players when dealing with user-location data. ETNO, which represents most of the EU’s largest telecoms operators, and GSMA, the global trade body for the mobile phone industry jointly said the approach hurts both consumers and innovation.

Nor does it mean that users will be free from pop-ups: they will still have to actively change the settings of every single device and app they use, and more actively deal with constant requests for permission for the use of harmless cookies when visiting websites and using other digital services.

All this suggests that, as if often the case in EU policy, there are always complications. While there is little doubt that cookies pop-ups were driving Europeans nuts, it’s not yet clear whether the planned replacement is any better.

Words Leo Cendrowicz & Elizabeth de Bony
Photos CC/Andrew Gustar

Leave a Reply