The current rules set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) prohibit the dropping of non-essential cookies (or other similar tracking technologies) on user devices without first obtaining the user's consent. Earlier this year the consultation on reform of the UK's data protection regime suggested that the government might take a significant step away from these rules by removing the requirement for consent to cookies from UK law for a wide range of purposes, or requiring it only in limited circumstances.
Recipe for change
Now that we have seen the draft Data Protection and Digital Information Bill (DPDI Bill), it appears that the proposed changes are not as drastic as initially speculated. The government does plan to allow cookies to be dropped without the user's consent but only for a limited number of purposes, such as website traffic monitoring or to detect faults on an organisation's website. The proposed changes are somewhat qualified by the fact that the user would still need to be able to object (or opt-out) to the cookie (or tracking technology) being dropped.
Pop-ups are out
The long-term plan is to remove the requirement for cookie banners and move to an opt-out model of consent. The rationale for the change is to cut down on multiple user consent pop-ups and banners which the government has called "irritating boxes". The industry body for digital advertising, the IAB UK, also welcomes the risk-based approach proposal for a browser-based opt-out model to promote a better user experience. The head of policy and regulatory affairs at IAB UK has recognised that "more clarity is needed about the alternative proposals for an opt-out regime. While annoying, cookie consent pop-ups do still serve a valuable purpose, and it’s crucial that what comes next is both conducive to the continuation of an ad-funded internet and takes into account the changing nature of identifiers within the digital landscape."
Another challenge will be enabling users to retain the same degree of autonomy and control over their cookie preferences in a way which is less frustrating than the current approach. Under the new rules users will be able to set an overall approach to how their data is collected via their browser settings (where available).
In an attempt to combat the risk presented by differing levels of cyber-literacy it is hoped that work will be done with industry to develop browser-based solutions to facilitate privacy-friendly cookie preferences. The online safety of young people continues to remain high on the government's agenda and the government does not intend the opt-out model to apply to websites likely to be accessed by children.
There is some scepticism around how successful the envisaged collaboration between government and industry will be, with some commentators concerned that the UK government may struggle to compel developers to engineer browsers to support the opt-out model due to the technical difficulties involved and previous apathy towards similar proposals. The original 'Do Not Track' campaign which promised user-friendly opt-out options was first launched in 2009 and struggled to get off the ground due to lack of industry support.
Browsing through Europe
Many global and pan-European organisations have invested a significant amount of resource into GDPR and PECR compliance projects and given that some of the new rules proposed by the Bill apply in the UK only, commentators are questioning whether there will be appetite to change recently established practices to account for nuances in the UK. There is speculation that global, or at least pan-European, organisations will continue to apply the EU GDPR 'high water mark' to ensure continuity across their organisation and avoid the complexities associated with differing geographical data protection practices.
The crucial factor is that the changes proposed specifically to cookies and tracking technologies in the DPDI Bill, are generally in line with the EU's plans for a new ePrivacy Regulation. Harmonisation would certainly be welcomed by multi-jurisdictional organisations given how challenging it would be to implement different cookie and tracking technology approaches from a technical perspective.
Another proposed change introduced by the Bill is that the soft opt-in exemption will be extended to non-commercial organisations including charities, bringing the approach to non-commercial organisations in line with commercial organisations. Currently, commercial organisations do not have to obtain an individual's explicit consent to receive electronic marketing if that individual has previously purchased, or shown interest in, the goods or services provided by that organisation. If the DPDI Bill as drafted is approved, soon non-commercial organisations will also benefit from this exemption.
For the most part, the proposed changes under the DPDI Bill to rules which relate to direct marketing and cookies seek to align with the approach likely to be taken in the EU under the (at some point) incoming ePrivacy Regulation, as well as harmonising the approach across commercial and non-commercial organisations. The real challenge will be the longer term plans to implement browser-based cookie preferences and to get the buy-in from industry required to create a user-friendly and seamless browsing experience, while preserving high privacy standards.