The current cookie rules introduced in 2011 have been widely criticised, poorly implemented by publishers and there has been minimal enforcement action. Many agree that the result has led to minimal benefit for consumers with respect to their purpose – to increasing online privacy – and instead merely increased expenses for website or app owners.
According to the current rules, a site must inform users that cookies are being used the first time they are placed with a user, give an explanation for why they are there and request for the user’s consent to store the cookies. The cookie rules therefore hinge on the definition of ‘consent’.
The definition of consent
The definition of ‘consent’ in the new General Data Protection Regulation (‘GDPR’) is changed compared to what was seen previously. The new definition makes unambiguous consent the norm whereby consent must be given freely, specific and informed, and must form a positive action – for example ticking a box or clicking a link.
According to the current rules the implied consent may be valid where users fully understand that their actions will result in cookies being set. However, since unambiguous consent will become the norm then implied consent – or an opt-out approach in use today – will need to be revised in order to comply with the new regulation.
Another complication is that one device often has several users; at present only the person who originally accepts the cookies, the subscriber, explicitly accepts the storage of cookies while subsequent users may have a different preference which is not taken into account.
Implications for changes
There is no doubt that the unambiguous consent approach in the new regulation will increase expenses for website owners, software and app developers in order to implement the changes. For example, many app developers will need to change their approach when an app is downloaded on smart devices and afterwards access the users information on the device (e.g. contacts or photos). App developers will need to provide clear information to users about what the app does, and exactly how it uses their information, before users click to install the app.
Can the cookie requirement be good for business?
Cookies help websites remember the settings the user selected on a prior visit, including themes, language, login names and passwords for easier entry on future visits etc. Some argue that the new constant bombardment of requests to accept cookies will be inefficient and bothersome for users.
On the other hand, cookies can also collect demographic data about who the user is, how often they visit, how long they stay on the site and the surfing habits of the user by using the private information. The big data that cookies collect is treasured information for the website/app owners, allowing the site developer to adapt to the users’ interests or behaviour and adapt the site or app to maximise its effectiveness and efficiency.
The necessary balance
The cookie rules and the consent requirement under the new regulation must obtain a balance between user-friendly online services on one side and on the other side to safeguard the right to identity privacy online. At the same time the development of new technology must be able to continue to flow. It will be interesting to see whether this new consent definition will help the necessary balance or make it more challenging and costly to use the internet in the future. I am not optimistic.