Efforts to regulate online surveillance and secure the right to digital privacy has crystalized in the European Union in the shape of the General Data Protection Regulation (GDPR), and tightened guidelines for cookie control have been mandated from both the British and French data protection authorities, ICO and CNIL.
In this post, we discuss various efforts of cookie control: from UK and French data authorities‘ updating of cookie management guidelines; the US record fine against Facebook, digital self-defense mechanisms of privacy-friendly web browsers that block cookies, to cookie consent solutions – such as Cookiebot – that enable prior consent in order to comply fully with the GDPR and live up to the new guidelines regarding the ePrivacy Directive.
Let's dive in.
The Information Commissioner’s Office (ICO) is the data protection authority of the UK, and so the entity that enforces the GDPR and the national interpretation of the ePrivacy Directive into the UK laws called PECR.
PECR stand for Privacy Electronic Communications Regulations. They date from 2003 and are the national implementation of the ePrivacy Directive in the UK.
When it comes to a website’s cookie management, implied consent as we know it today – the soft opt-in that allows websites to interpret as consent the continued browsing of its users – do not meet the requirements for valid consent, ICO has ruled.
Instead, users must give their affirmative consent to anything that is not necessary cookies (or non-essential, as ICO calls them) and it is the legal responsibility of websites to have a cookie manager in place that enables this for their users.
Pre-ticked boxes (or any equivalents) are not lawful to use on anything but necessary cookies, according to the new ICO guidelines. This means that preference, statistics and marketing cookies must abide by the same rules: they all need to be un-ticked and now require affirmative opt-in to be viewed as valid consent.
In other words, users must now choose to tick the boxes of preference, statistics and marketing cookies alike, in order for these categories of cookies to be activated.
The ICO guidelines now include that –
We are aware, here at Cookiebot, of the extraordinary situation of uncertainty that the UK finds itself in with regard to Brexit and the prospect of a no-deal scenario on October 31st, 2019.
In the previous May government’s withdrawal agreement, the GDPR would have been incorporated into UK law to sit alongside the British Data Protection Act of 2018. Whether this will be sought by the new Johnson government is unclear.
However, in the case of a no-deal scenario, the GDPR would not be binding law in the UK any longer – except for websites who offer services to European citizens – and it would be the Data Protection Act 2018 and ICO’s additional guidelines for cookie control and consent that would matter.
The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing transfer of personal data to the UK without restrictions.
However, adequacy arrangements between the UK and EU could take years to be concluded, Brussels officials have warned.
Across the Atlantic, on the Eastern shores of the US, the Federal Trade Commission (FTC) is fighting its own fight against the abuse of user data in today’s surveillance capitalism.
As the American equivalent of the European data protection authorities, they operate in a different climate altogether, since the US do not have a federal data privacy law akin to the GDPR, and so no strict cookie control from an enforceable, federal level.
However, the Federal Trade Commission recently levied a record $5 billion fine against Facebook for its mishandling of user data in the Cambridge Analytica scandal. It is the highest fine ever imposed by the FTC… but a fraction of Facebook’s annual revenue of $56 billion. Part of the FTC’s ruling was also to impose stronger oversight on Facebook’s collection and handling of users’ data.
Moreover, the FTC recently settled a multimillion-dollar fine against Google for data collection targeting children under the age of 13.
European data protection authorities have started collaborating on cross-country cookie control, e.g. the Irish Data Protection Commission (who currently has 11 investigations open against Facebook), who has met with government officials in Washington.
Even the European Commission has shared information with the FTC about its past investigations into Google.
A political movement in Washington, including a major presidential candidate, is forwarding the idea of creating a 1,600-person data protection authority in the US in order to better enforce and regulate the data duopoly of Google and Facebook.
This would bring cookie control in the US to a whole new level, as would a potential federal data privacy law.
The strictest data protection law that will cover cookie control in the US is shaping up to be the California Consumer Privacy Act (CCPA) that will take effect on January 1, 2020.
Read a lot more about the California Consumer Privacy Act (CCPA).
The CCPA grants consumers the right to request disclosure of the categories and specific pieces of personal information that a business has collected on them. It also grants consumers the right to request deletion, as well as the right to opt out of having their data sold to third parties.
The CCPA was signed into state law in June 2018 and will take effect on January 1, 2020.
The deadline for amendments to the law is September 13, 2019.
The guidelines apply to all types of operations involving cookies and trackers on any type of device, effective after a grace period of around a year from now (approximately July 2020).
CNIL is going the same way on cookie control as the British and rules that the soft opt-in or implied consent as it stands today – i.e. continuing to browse a website after its cookie banner is displayed equals consent – is a thing of the past in France.
French website owners and operators must obtain affirmative, unambiguous and freely given consent before any non-necessary cookie or tracker can be activated.
With the ePrivacy Regulation looming in the near future, as we wait for it to pass and become uniform law in the EU, these sweeping changes to British and French cookie control indicate a new level of engagement from the data protection authorities and an increasing will to interpret the ePrivacy Directive in light of the GDPR – and its higher standards for what constitutes valid consent.
How the ePrivacy Regulation will look in its final form is yet to be seen, but both the British and French data protection authorities have made their opinions loud and clear. Whether the coming cookie regulations will be as strict as the ones now imposed by ICO and CNIL waits to be seen.
Digital self-defense is also an option a lot of people are choosing in exasperation of learning about the ugly truth of the dismal state of privacy on the Internet today.
This type of digital self-defense is essentially a version of privacy protection, where everyone has to fend for themselves, by downloading the right browser that then block cookies automatically.
The downside is that they often break websites, because they block cookies that support the basic functions of a domain. This full cookie stop is the default mode of both Epic and Brave, whereas Firefox utilizes a tracker list from Disconnect to determine which cookies they block.
This digital self-defense is not a viable final solution to the privacy problems of surveillance capitalism, since most people don’t have the time or the technical skills to navigate the abundant market of privacy tools, browsers, VPNs or adblockers.
There is also another way to protect privacy in our digital infrastructures… One that doesn't require digital self-defense, but puts the responsibility on the shoulders of website owners and operators, as directed by the GDPR.
Cookie control through a cookie manager like Cookiebot is a technology that we – obviously – have put our weight behind and think of as a vital part of a sustainable solution for protecting privacy.
Using a consent solution that is specific to each website (implemented through the cloud and integrated seamlessly onto a domain) not only prevents websites from breaking by allowing them to discriminate between different categories of cookies, it also holds the potential to be fully GDPR compliant, and compliant with the new guidelines of ICO and CNIL.
A website owner looking for cookie control can use Cookiebot to –
Cookiebot continues to deliver a real and sustainable consent solution in accordance with the GDPR, and we follow updated guidelines like those of ICO and CNIL closely.