Since 2012, European websites have been littered with pop-up notifications warning users about cookies—files that allow a site to remember a reader’s activity there. Now there’s a proposal that could make those infernal pop-ups a thing of the past… if it can pass a gauntlet of sign-offs from telcos, online advertising networks, messaging services, and privacy advocates.
The pop-ups are the result of the European Union’s 2011 ePrivacy Directive, which requires websites to gain consent from readers if they want to use cookies to track them.
On Jan. 10, the European Commission proposed a replacement. The Regulation of Privacy and Electronic Communications measures would dispense with individual websites’ consent pop-ups, pushing that requirement onto web browsers. Software-makers would have to ensure that when a browser is opened for the first time, users are presented with simple options for dealing with cookies—reject all cookies, accept all cookies, or accept some types of cookies, for example. Under the proposal, cookies performing innocuous functions, like providing traffic data to a website, won’t require the user’s consent.
Most browsers already have such capabilities, though the new rules would require making them more prominent and clear. Some browsers, like Norway’s Vivaldi, even see a chance to provide privacy-centric design. Says co-founder Tatsuki Tomita, ”If we can bring more transparency and control to the user in a way that they can understand, there’s definitely an opportunity.”
Telcos vs. tech giants
As the draft regulation is pored over by affected parties, another key battle is taking shape between telcos and companies that provide “over-the-top” messaging, like WhatsApp and Skype.
The ePrivacy Directive, which telcos have long lobbied to repeal entirely, already obligates them to ensure messaging confidentiality, and prevents them from storing data on user traffic and location. The new rules would extend some of that burden to over-the-top messaging providers.
But telcos aren’t satisfied. On. Jan. 10, lobbying groups ETNO and the GSMA issued a statement calling for more changes to the privacy proposal, saying telcos are still being “singled out.” Among their objections: The commission imposes a heavier compliance burden on telcos than over-the-top players when dealing with user-location data, making it harder for the former to compete in areas like mapping.
Advertisers vs. privacy advocates
The regulation’s biggest critic is the Internet Advertising Bureau (IAB), an industry group representing the interests of online advertisers. In December, IAB UK policy chief Yves Schwarzbart told the Financial Times (paywall) that an earlier, leaked, version of the regulation would “[put] at risk the entire internet as we know it.”
The official proposal includes some small victories for advertisers. Gone is an earlier draft’s provision to have browsers reject all cookies by default (pdf, p. 19), and the rules would allow websites to demand that users stop blocking ads. But it also comes with teeth. Any firm that breaches user privacy in handling data can be fined up to 4% of their global revenues, much more than the tiny amounts that national data protection regulators were allowed to impose previously. (In the UK, for instance, the Information Commissioner’s Office caps penalties at £500,000.)
“Should advertising be unable to foot the bill of keeping the lights on, these offerings will move behind a pay wall or stop being available at all,” warns Matthias Matthiesen, public policy manager at IAB Europe.
The proposal also strengthens user protections elsewhere, such as limiting cookie data storage to six months, and requiring explicit consent for electronic marketing and accessing user metadata.
“[The new rules] will definitely impact advertisers and publishers,” says Lukasz Olejnik, a privacy and security researcher at University College London. “But from the point of view of consumers—that’s good.”
Cookies vs. fudge
So where does this leave users? Possibly back where they started: clicking through dozens of pop-ups windows, only this time through their browser instead of specific websites. That’s because the proposed rule still calls for the user to explicitly consent in a host of scenarios before their data can be accessed.
“I’m cynical about the end of the pop-up banner,” says Kristina Holt, a privacy lawyer at Pinsent Masons in London. “Because if you’re looking at specific consent, you need someone to tick a box.”
This might end up as another classic example of the EU fudging its way into a new set of rules.