New UK proposals for cookies and data protection. Everything you need to know. | McGregor BoyallSome years ago, I attended a closed-door session where General Council for one of the world’s largest Internet behemoths pronounced that the consent requirement in Article 5(3) of the EU’s ePrivacy Directive (‘EPD’) represented for his company an ‘existential threat.’ 

Presumably, he feared that once individuals would be given the option to consent to tracking cookies, most would likely refuse, thereby severely curtailing the data his company was able to harvest and monetise.   As we now know, his fears did not come to pass as EU consumers are likely to ‘click’ the accept button for a variety of reasons. Studies have shown that rather than produce feelings of empowerment, the cookie consent requirement has instead made consumers feel less in control, annoyed, and inconvenienced.

Addressing the inefficiency of consent for the use of cookies is therefore high on the agenda as the UK shapes its own regulatory regime for the commercial processing of personal data following in the wake of the UK’s exit from the EU in 2020. Part of the result appears in Clauses 78 and 79 of the Data Protection and Digital Information Bill (‘DPDI’) as currently drafted, amending Regulation 6 of the UK’s Privacy and Electronic Communications (EC Directive) Regulation 2003 (‘PECR’), which in essence gives effect to the EU’s EPD. While recognising that Clauses 78 and 79 will change the cookies regulation in the UK, it must be noted that the UK’s government’s legislative agenda is currently suspended. These comments are based on the state-of-affairs before the change of premiership in September 2022, and changes may very well be made to the legislative proposal once the new government agenda settles.

In brief, Clause 79 DPDI concerns the Regulation 6 PECR requirement of user or subscriber’s consent for cookies or similar technologies which are used to store or access information on a user or subscriber’s device. The Explanatory Notes accompanying the DPDI explains:

Regulation 6(1) [PECR] prohibits an organisation from storing information or gaining access to information stored in the terminal equipment of an individual, unless the individual is provided with clear comprehensive information about the purposes of the storage of, or access to, that information; and the individual has given consent. These rules apply to the placement of cookies and similar technologies (such as tracking pixels) on people’s devices.

However, the consent requirements are not absolute. In amending Regulation 6(1) PECR, the DPDI would introduce several exceptions to mandatory consent. These exceptions mainly relate to the functionality of websites and services, which loosely mirror the exceptions being contemplated by the EU in the proposed ePrivacy Regulation, which is set to replace the EDP. These exceptions include the gathering of statistical information for the improvement of services and functionality; and geographical information only when ‘strictly necessary’ to locate a user or subscriber’s device in an emergency.

On the whole, the exceptions to mandatory consent for the use of cookies or similar technologies are likely to deliver the UK Government’s legislative ambition to ‘cut down on “user consent” pop-ups and banners.’ For example, the new section (2A) would allow for an exception when,

[T]he sole purpose of the storage access is – (i) to enable the way the website appears or functions when displayed on, or accessed by, the terminal equipment [i.e., user or subscriber’s device] to adapt to the preferences of the subscriber or user, or (ii) to otherwise enable an enhancement of the appearance or functionality of the website when displayed on, or accessed by, the terminal equipment.

The wording is clearly intended to reduce the number of consent requests by allowing companies to continue to use cookies or similar technologies to give effect to preferences already expressed by users or subscribers. In other words, the exception would allow for ongoing personalisation of the website or service experience based on the onetime consent of the user or subscriber. This raises several questions.

First, this seems to be contrary to the UK’s Information Commissioner’s Office (‘ICO’)’s guidance on consent, which states that consent cannot be bundled for multiple operations and must be reaffirmed periodically. It is not yet clear how the contradictory wording can be reconciled.

Second, the UK Government’s rationale for the new exceptions to mandatory consent is that these exceptions present a low risk to privacy. As such, it is worth noting that both the PECR and the EPD concern privacy and confidentiality in electronic communications. They are therefore not primarily focused on data protection as conceptualised in the EU’s General Data Protection Regulation (‘GDPR’), which includes an objective to give individuals control over their personal data, stated in Recital 7 GDPR.

Choosing to protect one’s privacy on the one hand and controlling the commercial use of one’s personal data as it is harvested and monetised on the other hand, are, albeit somewhat overlapping, slightly different things. In this case, the UK Government has chosen to downplay individuals’ right to autonomy or what the Europeans may refer to as a right to informational self-determination by emphasising privacy instead. This is a reductionist view of what data protection is about and therefore does not quite match the UK’s Government’s own remit for the DPDI to maintain, ‘high data protection standards.’ Consequently, the standards may only be high in certain regards.

Third, in any case, whether the DPDI is amended to bolster individuals’ right to control the commercial uses of their personal data as harvested through cookies may be a moot point. While only time will tell how far the exceptions to mandatory consent are stretched once the DPDI is enacted, especially given the signals sent by the new team in 10 Downing Street, the experiences from the EPD seem to confirm the findings of several academics that the notion that individuals can control the commercialisation of their personal data is likely to remain an illusion.

Given the ubiquity of personal data harvesting and monetisation, which easily eclipses granular consent decisions taken by individuals, the new Clause 79 DPDI is one step toward the UK Government’s vision, ‘to allow for the realisation of all benefits derived from more effective data use.’ The instrumental language illustrates how the UK post Brexit is moving towards treating personal data as digital assets rather than facets of human identity. Following this trajectory, there is a risk that data protection in the UK will be reduced to a mere consumer protection standard, unhinged from the cart of fundamental rights as prescribed in Article 8 of the Charter of Fundamental Rights of the European Union (‘CFR’). This may be a more practical and pragmatic approach to data protection and privacy, but one cannot help but ponder whether something more fundamental may be lost in the transition from a supranational to a domestic legal regime.

There is still quite some uncertainty regarding how Clause 79 DPDI would be implemented in practice; yet, one early conclusion can be drawn. The General Council who identified the cookies consent requirement as an existential threat will have nothing to worry about with the enactment of the DPDI.

Dr Ann Kristin Glenster, Centre for Intellectual Property and Information Law, University of Cambridge, Senior Advisor on Technology Governance and Law, University of Cambridge Minderoo Centre for Technology and Democracy