Could 2019 be the End of Cookie Consent Forms?

Written by

In 2009, the European Union amended its 2002 ePrivacy Directive to require that companies obtain consent for storage or access of data on electronic devices. Because this includes the use of cookies, for users the most noticeable consequence of this law is the barrage of cookie consent forms found on websites in the EU.

The ePrivacy Directive soon became colloquially known as the Cookie Law, and it has been a controversial topic from the beginning. The law has been heavily criticized as ineffective, a disadvantage and burden for those who adhere to it, and impossible to enforce.

Expected in 2019 or possibly 2020, the ePrivacy Regulation will replace the ePrivacy Directive. The difference between a directive and a regulation is that regulations become legally binding across all member states as soon as they take effect, whereas directives must be interpreted and enforced by national laws of each EU member state, resulting in a less homogeneous implementation.

The ePrivacy Regulation is not yet finalized, but we have a pretty good idea of what's going to be in it. A key point of the new legislation aims to address a few key problems with cookie consent forms. These include "consent fatigue," in which website visitors blindly accept or ignore the terms of use for cookies.

Furthermore, even visitors who do read the consent popups and banners likely don't know what they're agreeing to, because websites are not required to explain what cookies are and how they work when obtaining consent.

In many cases, websites place cookies in a user’s browser at the same time they ask for consent, assuming the user will accept. The law does not take into account other means of tracking users, such as browser fingerprinting. Finally, no response---when the user doesn't click "I agree"---is considered "implied" consent.

Third-party vs first-party cookies
To address these issues, the ePrivacy Regulation will do a few things in regards to cookies. First, it makes a clear distinction between third-party persistent tracking cookies and non-privacy intrusive cookies. First-party cookies that are necessary for the proper functioning of a website and that do not remain active after the user has left the page will probably not require a consent form.

However, websites that do use tracking cookies will still need to gain consent. This still affects most major websites, including those that utilize Google Analytics and social media buttons and widgets. Unfortunately, the law only doubles down on tracking cookies, stipulating what information must be presented when obtaining consent.

First off, no more placing cookies at the same time the website asks for consent and assuming the visitor will accept. Consent first, then cookies.

Second, simply notifying the visitor that cookies are in use and asking them to accept won't cut it anymore. Websites must communicate what information the cookies contain and what consent is being given for, in plain language. Further, consent must be requested and freely given "as a positive and unambiguous action," which means websites can't just instruct users to accept cookies and move on.

It's worth noting that cookies used for web analytics are considered exempt. However, Google Analytics and other analytics services utilize tracking cookies, so the law seems to contradict itself in this respect and requires further clarification.

Web browser provision
The new law will further require that web browsers incorporate settings that allow users to more easily manage cookies. This shifts some of the responsibility for storage and retrieval of cookies to web browser developers.

How exactly this will work is unclear, but the law says that users will set their cookie preferences upon installation of the browser. When new privacy options are made available, users will set these preferences again. It's not clear if these settings could be a substitute for the consent form banners that now plague EU websites.

This stipulation is possibly the biggest change between the directive and new regulation, and yet it's extremely vague on the details. It's not clear how this will address consent fatigue and other problems mentioned above. It's a burden for browsers and apps both to implement these settings and to ensure compliance.

As a result of all this ambiguity, the Austrian presidency of the Council of Ministers proposed removing the browser provision from the regulation in July. Andrew Cormack, the Chief Regulatory Advisor of UK computer networking firm Janet, laid out some specifics of how the browser provision might be implemented and how it could work in conjunction with the GDPR.

Suffice it to say, ideas are still being thrown around, and it's unclear if this will reduce the burden on websites to obtain consent.

What’s hot on Infosecurity Magazine?