The much-loathed Brussels “cookie law” – which has forced every website owner to gain consent for using browsing data – should be scrapped and replaced by new legislation as it has simply not worked in practice.
That is the view expressed by the UK Information Commissioner’s Office in its submission to the consultation on updating the ePrivacy Directive, which outlines its objections to the law amid claims it does not strike the right balance and could hinder digital innovation.
Originally there had been fears that the UK would have no influence on the changes following the Brexit vote, however, with Prime Minister Theresa May in no rush to invoke Article 50, the UK will not be leaving the EU for at least two years. The consultation is due to be complete before the EU General Data Protection Regulation (GDPR) comes into force in May 2018.
The ICO stated: “Requiring consent for the processing of personal data has not delivered the expected protection for individuals because some personal data must be processed in order for the consent mechanism to operate.
“In our view, the rules should also seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals. There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal.”
Many believe the consultation indicates that the European Commission is planning to tighten eprivacy laws by requiring, among other measures, “privacy by default” settings on “terminal equipment”.
“The definition of terminal equipment would need to be carefully defined as it could include connected cars, IoT devices and legacy equipment. Consideration also needs to be given as to whether all these devices are capable of delivering privacy choices,” argued the ICO.
“The impact on small start-up companies would need to be carefully considered to avoid a disproportionate detrimental impact on innovation. Again, in our view, any rules in this area should seek to achieve a proportionate balance between the legitimate interests of businesses and the privacy rights of individuals, and not impose onerous and disruptive requirements in cases where privacy impact is minimal.”
When the cookie law was first introduced in 2012 – following a year’s grace – the ICO was adamant that explicit consent was the best practice. This required users to tick a consent box before proceeding. But a year later, it said “implied consent” was allowed, which just requires a simple statement on the site, with a link to advice on how to stop cookies.
Fears grow over ePrivacy update as UK loses voice
ICO commits to data law overhaul despite Brexit win
Third of businesses still feel unprepared for GDPR
7,000 data protection officers needed for UK firms
Marketers clueless about Brexit impact on data laws
Industry on alert as EU reviews online privacy laws
‘Simple’ cookies consent now rules
Cookies boycott fears dismissed
Sites opt for light touch on cookies
75% of top sites ‘ignoring cookie law’
Top UK sites get cookie ultimatum