Cookie consent crumbles under fresh UK data law proposals

Campaigners fear erosion of rights as narrowing of law proposed as well as political control over independent watchdog

The UK government has published its plans for reforming local data protection law which includes removing the requirement for consent for all website cookies – akin to the situation across much of the US.

Also notable is the removal of the requirement for a Data Protection Impact Assessment, as well as a new political direction over the Information Commissioner's Office.

However, Nadine Dorries, the minister for the Department of Digital, Media, Culture and Sport, rejected controversial proposals to remove the right to challenge automated decision-making. Privacy campaigners had said the proposals were "irresponsible" and would make it harder for people to "challenge the government or corporations."

Meanwhile, one legal firm welcomed the response as the "incremental reform of the current framework" — rather than an entirely new approach to data rights.

What exactly is being proposed for cookies?

UK rules on website and app cookie consent are set to change if these proposals move forward. The government plans new laws to remove the need for websites to display cookie banners to UK residents, permitting cookies and similar technologies to be placed on a user's device without explicit consent.

The proposals — which also apply to apps on smartphones, tablets, smart TVs or other connected devices — advocate "browser-based and similar solutions that will help people manage their cookie and opt out preferences."

However, websites must give the web user clear information about how to opt out of having cookies set.

"The government will work with the industry and the regulator to ensure technology is effective and readily available so people can set their online cookie preferences to opt-out via automated means," the proposals said.

How will it protect users from tracking?

Peter Church, counsel in law firm Linklaters' global data team, said: "The reform of cookie laws is also long overdue given the widespread annoyance caused by cookie pop-ups. However, it's not clear how the new regime will adequately protect individuals from excessive and intrusive internet tracking."

Elsewhere, the government has rejected proposals to remove the right for individuals to challenge automated decisions made about them, a right enshrined in the EU GDPR, a piece of legislation the government had promised to move away from after Brexit.

"Our proposals retain human review as currently required under Article 22, but will ensure that a data subject has access to clearer safeguards for any significant decision made without meaningful human involvement, potentially to include a justification of how a decision is reached which may enable a data subject to more easily identify how protected characteristics have been factored into a decision," the proposals said.

Church welcomed the move. "It appears the government has pushed back on some of the more radical suggestions – such as replacing the GDPR with an entirely new Framework of Citizen Data Rights," he said.

However, the proposals have alarmed privacy and rights campaigners. Organizations will no longer have to complete data protection impact assessments (DPIAs) before collecting data. Instead, they will have to conduct "risk-based privacy management programme" to "mitigate the potential risk of protected characteristics not being identified."

Data protection consultant Rowenna Fielding warned that the shift away from broader right to focus only on privacy could be a danger to individuals.

"If government's talking about replacing [the DPIA] with a privacy management program, that takes away that enormous requirement to consider holistically what rights might be affected and avoid detrimental impact to them and replace it with a very narrow focus on privacy.

"This means that there will no longer be a requirement to consider impacts on say employment rights, consumer rights, contractual rights, citizens' rights and so on.

"It is actually extremely disturbing because it indicates that either they haven't understood data protection law at all or they have understood it, and they are derailing the core purpose of data protection which is to protect rights and freedoms.

"They are changing the conversation to reframe it in a very, very narrow sense to be about privacy," she said.

The government is also proposing changes to the role of the Information Commissioner's Office, the independent watchdog overseeing data protection in the UK.

Government plans to give itself powers to prepare a statement of strategic priorities (SSP) for the ICO to regard when discharging its data protection functions, despite widespread criticism that this could undermine the independence of the office.

"Given the government's commitment to ensuring the ICO's independence, the SSP will sit below the ICO's primary objective and duties under the UK GDPR and the DPA 2018. While the ICO will be required to respond to the priorities contained in the SSP, the ICO will not be legally bound to act in accordance with the statement. Further, the SSP will be subject to parliamentary approval before it is designated," the proposals said.

Mariano Delli Santi, legal and policy officer with campaigners the Open Rights Group, said the move could expose the ICO to political direction, corporate capture and corruption.

"Worried about the ICO new guidance or investigation? Giving a substantial donation to the party in government will ensure that the Secretary of State takes care of your concerns," he said. ®

Other stories you might like

  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading
  • Meta agrees to tweak ad system after US govt brands it discriminatory
    And pay the tiniest of fines, too

    Facebook parent Meta has settled a complaint brought by the US government, which alleged the internet giant's machine-learning algorithms broke the law by blocking certain users from seeing online real-estate adverts based on their nationality, race, religion, sex, and marital status.

    Specifically, Meta violated America's Fair Housing Act, which protects people looking to buy or rent properties from discrimination, it was claimed; it is illegal for homeowners to refuse to sell or rent their houses or advertise homes to specific demographics, and to evict tenants based on their demographics.

    This week, prosecutors sued Meta in New York City, alleging the mega-corp's algorithms discriminated against users on Facebook by unfairly targeting people with housing ads based on their "race, color, religion, sex, disability, familial status, and national origin."

    Continue reading
  • Brave Search leaves beta, offers Goggles for filtering, personalizing results
    Freedom or echo chamber?

    Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.

    Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting

    "Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."

    Continue reading

Biting the hand that feeds IT © 1998–2022