SHARE

November 30, 2021

ICO Looking to G7 Countries to Consider Solution for Cookie Pop-Up Fatigue

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

On 7 September 2021, the UK's data protection authority, the Information Commissioner's Office (ICO), announced that it will call on the G7 data protection authorities during virtual meetings on 7 and 8 September to "work together to overhaul cookie consent pop-ups, so people's privacy is more meaningfully protected and businesses can provide a better web browsing experience".  The G7 data protection authorities represent the UK, Canada, France, Italy, Japan, the U.S., and Germany.

As a reminder, privacy laws state than when non-essential cookies or other tracking technologies are used on platforms such as websites, the individual using the platform should provide their consent before these non-essential cookies are used.  Non-essential cookies are often used for advertising or analytics purposes, and collect varying degrees of personal data, some considered significantly more "privacy intrusive" than others.  To comply with such laws, businesses generally incorporate cookie banners and pop-ups on their platforms which appear when an individual first visits the platform.

According to the announcement, the ICO is concerned that people are actually providing more personal data than they would like to due to "cookie fatigue"; essentially, this is when individuals are subjected to so many cookie pop-ups that they would rather just select the "I Agree" or "Accept" button to make them disappear.  Further, the ICO is also considerate of the impact cookie pop-ups are currently having on businesses; it notes that the existing mechanism is "far from ideal…as it is costly and it can lead to poor user experience".  

The ICO is looking to the G7 countries to tackle this issue because it does not believe this is something that one country do alone.  The ICO intends to present its vision where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website.  The ICO believes this will "ensure people's privacy preferences are respected and the use of personal data is minimised, while improving users' browsing experience and removing friction for businesses". 

While evidence of its pragmatic approach, this seems to be based on an over simplification of the use of cookies and other tracking technologies and represents a somewhat idealistic view.  With regards individuals', their privacy preferences will only be respected to the extent that they fully understand what the information and questions presented to them actually mean and what the impact of providing their preferences through the relevant platform would be.  It will be interesting to see what guidance the ICO provides about ensuring full transparency to individuals, or whether it will leave it to businesses to grapple with this.  With regards businesses, the proposal could have a huge impact on their ability to collect data that, whilst not necessarily "essential" in the legal sense, is considered critical to their business, such as data for analytics to understand how their platform is used or for advertising to generate revenue.  It's also worth noting that there can always be exceptions to the essential/non-essential rule in businesses.   

Approaching the G7 authorities was an interesting move by the ICO and one which was not expected.  That said, given the recent scrutiny and debate around the future of cookies, it is not surprising that we are seeing data protection authorities starting to make their views clear on the matter, and a group effort is likely to see more traction.  It is encouraging to see the ICO initiating the move and we look forward to learning more about the ICO's proposal and the G7 authorities' views in response, and will provide updates when available.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Cybersecurity

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

Regulating Cybersecurity across the EU and the UK

By Romain Perray McDermott Will & Emery January 12 , 2023

On November 28, 2022, the Council of the European Union formally adopted the Network and Information Security 2 Directive (NIS 2 Directive), replacing the current NIS Directive (Directive 2016/1148/EC).

Featured Stories
Closeclose
Search
Menu

Working...