That's the way the cookie banner crumbles?

That’s the way the cookie banner crumbles?

Elizabeth Denham, current head of the Information Commissioner’s Office (ICO), the UK’s data protection watchdog and the organization tasked to ensure that businesses comply with the country’s strict data protection laws, is said to have met with her counterparts in the G7 nations on Tuesday to tackle the issue of cookie banners.

According to the BBC, during this online meet up, each member country “will raise a technological problem they believe can be solved with closer co-operation.” Denham has decided to put cookie banners—and by association, cookie fatigue—on the table.

“No single country can tackle this issue alone,” Ms. Denham has said in an official ICO statement.

However, instead of a sigh of relief, the sudden unearthing of this apparent age-old problem stirred criticism from several privacy advocates.

Cookie fatigue is the result of having to read (or ignore), and then click on a cookie banner every time you use a new website. This is required by EU law and is designed to give users insight into, and control over, how and when a website records information about them. While doing this complies with law, the after-effect is that users grow “tired” of having to repeatedly confirm consent, according to Denham. Because of this, she had the idea of suggesting that users should be able to indicate levels of consent once, at the browser, application, or device level.

Not only will this stop cookie fatigue, but “people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience.”

The strong suspicion is that people are simply selecting the “I agree” option whenever they’re presented with a cookie pop-up, without reading the fine print. This, then, causes Internet users to give more of their personal data away than they’d like.

“The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience,” Denham said in the statement.

“There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”, she said.

Cookie fatigue has been around for some time now. But, arguably, Denham’s solution for the cookie problem isn’t new either. It resembles the ill-fated “Do Not Track” (DNT) feature that almost made it into browsers several years ago. Natasha Lomas remarked in a TechCrunch article that Denham’s idea “could be called the idea that can’t die because it’s never truly lived—as earlier attempts at embedding user privacy preferences into browser settings were scuppered by lack of industry support.”

Malwarebytes Labs’ editor-in-chief disagrees with the comparison: “Do-not-track was certainly a victim of industry politics, but it’s hard to imagine how it would ever have worked—it was designed to fail. It was the technical equivalent of asking nicely, with no way of knowing if your tracking preferences had even been heard, nevermind complied with. There is no reason that a browser-based or app-based consent mechanism has to be based on such weak sauce. It was the implementation that failed, not the idea.”


Lomas isn’t alone in her criticisms against the ICO. Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties (ICCL) and former Chief Policy Officer (CPO) of Brave, called Denham’s idea “daft” in a tweet.

Because the UK is no longer in the EU it is free to diverge its privacy regulations from the EU’s General Data Protection Regulation (GDPR), and the nuisance of cookie banners is just one thing under consideration.

Ryan contends, as does Lomas, that the UK could have addressed the cookie pop-up problem before it left the EU.

Open Rights Group (ORG) Executive Director, Jim Killock, said that the ICO should be doing more.

“If the ICO wants to sort out cookie banners then it should follow its own conclusions and enforce the law,” Killock said. “We have waited for over two years now for the ICO to deal with this, and now they are asking the G7 to do their job for them. That is simply outrageous. We fully support their call for automated signals, but in the meantime they should enforce the law, which is their job.”