Cookies: limits of regulation

In going through the new (2023) Data Protection and Digital Information (No.2) Bill I noticed that it does actually make a change to UK law on cookies: according to clause 79(2A), consent will no longer be needed to store or access information in the user’s terminal equipment if this is

  • done by the person who operates the website, and
  • the sole purpose is to collect statistical information to improve either the website or the service it offers, and
  • that information is not shared with any other person for any other purpose.

Otherwise the new clause 79 pretty much reproduces the existing rules dating back to 2009. And this new exemption (colloquially known as first-party analytics) was actually proposed by European regulators in late 2012. To be fair, European legislators didn’t get around to proposing the change till 2017 and their law still hasn’t passed. So although both legislations are still declaring this a solution to “consent fatigue”, it doesn’t seem as if there’s much enthusiasm for it.

I think there might be some broader lessons here for the capabilities and limitations of “regulation”, whether at organisational, national or international scale.

Have we already got a regulation that could cover this harm? Back in 2009, the concern wasn’t primarily the storage of cookies, but the privacy invasions enabled by tracking individual users. Cookies were the main way that was then done, but many other technologies can be, and are, now used. Cross-site tracking was considered particularly harmful, hence the long-standing distinction between first- and third-party analytics. Privacy harms are, of course, the remit of privacy and data protection laws, and (as I discussed in a journal paper) European data protection law already contained a framework that could have been used to develop a limited, and technology-neutral, framework for website improvement (an obvious “legitimate interest”) in ways that safeguarded users’ rights and freedoms. But, instead, a solution was sought in new provisions on storage and access which, by some accounts, were actually intended to deal with spyware. Rather than spending the last decade (and counting) discussing what is and is not acceptable behaviour by websites, we’ve been producing ever less relevant technical distinctions.

Is the harm controlled by someone responsive to our regulation anyway? That 2009 “spyware” provision had the simple idea that users should be free to accept or refuse the addition of additional software they hadn’t asked for. But, as the market developed, it quickly became apparent that how/whether that choice was offered to users depended on the website, the browser and, particularly, plugins and add-ons to both. It’s still uncommon for consent interfaces to give equal prominence to “accept all cookies” and “reject all cookies”, even though this has been a clear requirement of European law since 2018 (“It shall be as easy to withdraw as to give consent” (GDPR Art 7(3)). It seems the providers of that software are more responsive to other pressures.

Will the reaction to regulation actually deliver what we want? Where cookie banners have responded to changes in law, this typically involves making them larger, more frequent and more intrusive. The term “consent fatigue” quickly emerged. I can’t believe this was the intention of the regulators, but I think it could have been foreseen. When proposing a change to law or policy or any other kind of “rules”, it’s worth role-playing how people and organisations might respond. If that doesn’t help the original problem, maybe it’s worth considering another – maybe even an existing – approach?

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *