On 10th of January 2017, the European Commission announced the publication of its draft Regulation on Privacy and Electronic Communications (commonly known as the ‘ePrivacy Regulation’). Within this, it has major plans to replace pop-up/banner type cookie warnings on websites with browser specific privacy settings. Full details can found here.
ePrivacy Regulation and EU General Data Protection Regulation
It is important to understand how this proposal relates to the General Data Protection Regulation (GDPR). According to the European Commission fact sheet on this subject the GDPR focuses on data protection for individuals. It was adopted in 2016 and its provisions will apply as from May 2018. The General Data Protection Regulation will enable users to better control their personal data. However, it only applies to the processing of personal data of individuals. It does not cover business-to-business communication or communication between individuals, which does not include personal data. The proposed EU Regulation on Privacy and Electronic Communications complements the General Data Protection Regulation and ensures the fundamental right to the respect of private life with regards to communications.
The new rules also give citizens and companies specific rights and protections, which are not provided by the General Data Protection Regulation. For instance, they guarantee the confidentiality and integrity of users’ devices (i.e. laptop, smartphone, tablets), as smart devices should only be accessed if the user has given their permission. The proposed Regulation also seeks to align privacy rules with the recently adopted General Data Protection Regulation, for example by relying on its definitions. The draft regulation also repeals the security obligations outlined in the current ePrivacy Directive that have become redundant as similar provisions exist in the General Data Protection Regulation.
Pros and cons
According to the draft ePrivacy Regulation the intent is that browsers should work through privacy by default and that browsers would not allow standard cookies. This principle is satisfactory to the legislative parties because they argue that there are more options to protect privacy from a technical perspective. Advertising agencies on the other hand see the proposal as a bad thing, because it creates a lot less interesting and relevant online ads because less or indeed no useful information would therefore be stored in cookies. However, there are other reasons as to why these privacy regulations are not a good idea.
False sense of security
Cookies are not only used for tracking, but also for the core functionality of a website. Think of their importance for memorising items in a shopping cart for example. In most countries we would classify these as ‘functional cookies’ as opposed to ‘tracking cookies’. The current proposal states that the storage of all cookies by default should be completely blocked. However, blocking all cookies is not possible, because websites simply would not work anymore. Browsers would therefore need to provide options to just reject tracking cookies. There seems to be an impression from this, that it is easy and possible to distinguish between functional cookies and tracking cookies. This is not the case, because apart from a few properties such as ‘name’, it is difficult to make this distinction by just looking at the cookie. Currently, the techniques employed by browsers are not good enough in themselves to guard privacy to the extent required by the new proposal.
In addition, cookies are not the only way to store sensitive information. Via components such as session storage, local storage but also through methods such as loading (external) files, it is possible to transfer data without control to a third party. Browsers will never be able to monitor and control all of these methods.
Also, the ‘do not track’ functionality in the browsers of today, does not meet the requirements of the proposal. This setting allows users to select whether they want to be monitored (i.e. tracking cookies enabled) or not. The disadvantage is that the browser makes available only the form (or similar) for the user to complete their preferences. However, it is the website owner who must ensure that these choices are respected and actually carried out. In other words, a browser setting does not fully guarantee that no tracking data will be sent (even though a user expressed their intent not to be tracked). The responsibility and technical effort of the website owner does not change with a statutory compliance do not track functionality implemented through a browser.
Displacement of the problem
The proposed data protection through the do not track browser setting is far too general because it needs to work for all websites. The user can not choose which companies deal properly and transparently with their personal information provided, especially in terms of their privacy wishes and data collection permissions, across multiple channels. This is an all or nothing situation, especially as many companies still do not ask for permission in the right way, or indeed at all. This will again cause a lot of confusion, frustration and poor customer journeys for end users, with many ending up saying “I thought I had already done that?!” Would it not be better to ensure that governing and guarding privacy is the responsibility of the information processing party and that responsibility should not be moved to an application of the end user? Data handlers should provide options to the end users to grant explicit permission, have the right for refusal and to be able to easily withdraw from any data gathering which impacts their privacy. This investment in a browser setting moves the problem to end users, who will often make decisions based on incomplete or incorrect information presented, or worse just click to remove what they perceive to be yet another annoying advert or banner. Privacy is too important to leave to a browser setting.
There is a lot of good intent within the GDPR and ePrivacy Regulations to help protect omnichannel generated data relating to personal privacy. Together, they will help drive a much needed paradigm cultural shift around personal and sensitive data. Companies must be able, in addition to the previously described explicit permission, also be able to make clear the purpose of the data collection. All end users must have the ability to enable removal of their data in all systems where their data is sent. This is a grand and far from trivial challenge that still requires much more control over the infrastructure than is available today. It is a challenge that goes far beyond what can be facilitated via a browser setting.