Would you like a cookie – or are you absolutely fed up of being asked?
When the government published its proposals for striking new data-protection plans in the UK, all eyes were on cookie consents – those annoying pop-ups that appear in the foreground on many websites, asking whether you will accept cookies, tiny bits of text that can be used to track things about you, including:
- what you do on the site
- whereabouts in the world you are
- what device you are using
- where you go online afterwards
The companies behind the sites use this information for a number of reasons – ad targeting being a huge one.
But it also, they say, gives you a more bespoke version of the site.
If it knows you look at lots of technology news, it can serve you up more – and less about gardening, for example.
If you choose not to enable cookies, it can mean the site has no other way of storing this choice, leaving you to opt out every visit.
But now, the government wants to limit these cookie consents – suggesting instead a one-stop data-privacy setting applied at browser level.
Google tried something similar years ago, a “Do not track,” header – but it was not legally enforceable, users could not check to see whether sites were respecting it and it has largely been dropped. A note on the Mozilla developer pages advises against using it.
The more privacy-focused technology giant Apple gives owners of its products regular reports about how many sites and apps are trying to track them.
But like it or loathe it, tracking and data gathering has become the way in which a “free-to-use” internet is funded – by content providers who can turn it into advertising revenue.
Even for those who fundamentally disagree with cookies, it has become a wearying war of attrition. “Yes, you can have my damn cookie!” tweeted a despairing Elon Musk.
Many critics say the pop-ups in their current form are pointless. A 2019 study found most cookies were “not compliant with EU privacy law”.
But the TechUK trade association says there are “outstanding questions” around exactly how the UK’s alternative would work, suggesting more consultation is needed.
And privacy campaigners the Open Rights Group are outraged it might involve opting out of tracking, rather than opting in, saying this wrongly places the onus on individuals preventing, rather than permitting, their online lives being monitored.
The Data Reform Bill is an attempt to move away from what the government calls the “red tape” of Europe’s General Data Protection Regulation (GDPR) legislation – most of which has been adopted into British law.
The GDPR puts enormous weight on protecting the privacy and data of individuals, with steep penalties for non-compliance, but cookie consent is not covered.
The Data Reform Bill also proposes:
- removing the requirement for small and medium-sized businesses to employ data-protection officers and conduct thorough impact assessments of data-gathering activities
- allowing the Information Commissioner’s Office, which currently has to investigate every data-protection complaint it receives, to, according to commissioner John Edwards, “be more flexible and target our action in response to the greatest harms”
- widening data access for public services and research – currently, if you consent to your health data being used in a particular Covid 19 study, for example, similar future studies have to ask again for your permission
All this can be done without reducing Britain’s data-protection “gold standard”, the government says. It could save businesses £1bn over 10 years and remove “box-ticking” exercises.
Culture Secretary Nadine Dorries calls it “cementing post-Brexit Britain’s position as a science and tech superpower”.
But so far, reaction has been mixed, with industry broadly more supportive than privacy campaigners.
TechUK – which worked with the government on the proposals – calls them “a welcome package”.
“The reforms… find a good balance between making the UK’s data-protection system clearer, more flexible, and more user friendly to researchers, innovators, and smaller companies,” chief executive Julian David says.
But the Open Rights Group calls the bill a “bonfire” of rights.
“At a time when personal data can be leveraged to do all sort of wrong things, depicting data protection as a burden is wrong, irresponsible and negligent,” it said.
Meanwhile, the lawyers are looking at how the proposals may affect the passage of data between the UK and the EU.
Vinod Bange, of law firm Taylor Wessing, says his initial response was “relief” there was no entire rewrite of existing policy.
But he adds: “The most impactful changes for UK organisations will be the unintended consequences, so changes that could derail the current data-flow adequacy with the EU will be the ones to watch.”
Nothing is likely to change overnight – the bill first has to trundle its way through Parliament – but expect much more debate in the coming months.