Cookies – are we asking the right questions?

Last week saw the first anniversary since the ICO decided to start enforcing the new cookie rules in the UK. If you’re reading this, you’ll almost definitely know that the law actually came into force two years ago as a result of changes to the E-Privacy Directive. The “old” rules operated on a notice and opt-out basis. Under the “new” rules, broadly speaking, notice and prior consent is required.

Ever since the law came into force, lots of questions have been asked by lots of different stakeholders. The main question I’ve been asked as a legal adviser in this area is what consent mechanism a website needs to implement to be compliant (implied consent notice, banner, pop-up etc?).

One of the much discussed problems with the prior consent rule is that everyone knows the average internet user does not understand and/or will not make the effort to try to understand what cookies are and how they’re used. The notion of the average internet user providing genuine, freely given, specific and above all “informed” consent in relation to cookies is therefore completely spurious.

I went to a seminar recently where Dave Evans from the ICO showed some statistics about the number of complaints the ICO had received about cookies since the rules came into force. According to the ICO, the number of complaints was very low compared to other data protection / privacy issues which they receive complaints about.

What is the point of asking how many people have complained about cookies? Does a low number of complaints indicate a successful regulatory regime or does it indicate a pointless one?  Why did the relevant people actually complain? Why did other people not complain? Is it because they don’t care about cookies? Is it because they didn’t know who to complain to? Is it because they do care about cookies but couldn’t be bothered to complain? Is it because they don’t care about cookies but enjoy complaining? Is it because they would care about cookies if they understood what the hell they were? And… so… on…

The legislation admits that prior consent is pointless for certain cookies (i.e. the ones that are strictly necessary for the site to offer a service requested by the user, such as an online shopping basket). The real target of the rules, as we have been continually told by the regulators, is online behavioural advertising (OBA).

In Opinion WP171 from June 2010, the Article 29 Working Party (an independent body made up of the various European data protection regulators) acknowledged that whilst there are “possible economic benefits to advertisers” through using OBA, these should not come at the expense of individuals’ privacy rights. “Possible economic benefits”?! Surely that’s an understatement. In any event, surely the implementation of a completely spurious notice and consent regime does nothing to safeguard individual’s privacy rights.

Omer Tene and Jules Polonetsky from the Future of Privacy Forum wrote an article last year in the Minnesota Journal of Law, Science & Technology in which they nicely summarised the regulatory conundrum we’ve found ourselves in:

By emphasizing “transparency and user consent,”… the current legal framework imposes a burden on business and users that both parties struggle to lift. Imposing this burden on users places them at an inherent disadvantage and ultimately compromises their rights. It is tantamount to imposing the burden of health care decisions on patients instead of doctors. Instead of repeatedly passing the buck to users, the debate should focus on the limits of online behavioral tracking practices by considering which activities are socially acceptable and spelling out default norms accordingly.

The purpose of OBA is to display adverts to people for products/services which they are more likely to be interested in and therefore buy. OBA and the development of real-time bidding and programmatic buying are the future (or even the present) of the internet. It seems that instead of spending all this time asking consumers to provide consent to something which they either don’t understand, don’t want to understand or don’t care about, the regulators should spend more time asking a fundamental question about what they are actually trying to regulate.

Surely attention should instead be focused on what businesses can/can’t do with people’s personal data and ensuring that online businesses do not abuse that data in a way which causes people either real distress, financial injustice or discrimination (e.g. unfairly increasing prices or denying financial services based on incorrect assumptions drawn from web browsing history). If you asked consumers whether they care about that stuff I know what their answer would be.