More than a decade ago, European data protection regulators identified the problem of “consent fatigue”, where website users were overwhelmed with multiple requests to give consent for processing of their personal data. In theory, responding to those requests let individuals exercise control but, in practice, it seemed more likely that they were just clicking whatever was needed to get the content they wanted.
Despite the Article 29 Working Party’s 2009 comment (not specific to websites) that “the complexity of data collection practices, business models, vendor relationships and technological applications in many cases outstrips the individual’s ability or willingness to make decisions to control the use and sharing of information through active choice” and the UK Information Commissioner’s concern “that the creation and sharing of personal data profiles about people, to the scale we’ve seen, feels disproportionate, intrusive and unfair, particularly when people are often unaware it is happening”, regulators’ and legislators’ response to the problem has largely been to look at legal and technical formalities, not to question whether the data processing behind many commercial websites was simply too complex for individuals to meaningfully control.
Thus the latest enforcement action by the French regulator against concerns the widespread practice of offering a choice between “accept” and “configure”: the latter typically leading to pages of detailed settings that the user must refuse individually. The Regulator’s conclusion that “it is not as easy to refuse cookies as to accept them” – as required by GDPR Art.7(3) – is hardly surprising. But given earlier enforcement actions demanding that data controllers give more detail and granularity, providers might be tempted to think “you asked for it, you got it”. As with previous enforcement, the result seems more likely to be an adjustment of practice towards the regulator’s rulings, rather than a major change of approach.
Ironically, the opportunity for that change may now come from the technical side, where browser creators (including Google) are proposing new technologies for Internet advertising that may not obviously relate to existing legal provisions and rulings. The Information Commissioner has responded with a set of privacy expectations for such developments: these still call for “User Choice”, but alongside “Data Protection by Design”, “Accountability”, “Purpose”, and “Reducing Harm”. Whether this will result in a new approach, or just a new front in the battle of formalities, we will have to wait and see.