This morning I read with some pleasure that the UK’s Information Commissioner plans to ask the G7 nations to collaborate in getting rid of cookie pop-ups. A day late and a dollar short, but welcome news nonetheless.
One of my first proper jobs in digital involved writing cookie audits. With the Privacy and Electronic Communications Regulations (PECR) drumming up a steady flow of business, we automated browsers to spend hours counting cookies on our clients’ websites.
My deep expertise in the PECR thus established, I wrote on the matter for Econsultancy (a superb article which they have inexplicably left to the WayBack Machine to preserve).
As I noted at the time, the Government knew even then that cookie pop-ups would be ignored by users. What we all got wrong was, we assumed this would mean no consent, and thus no data. What actually happened, of course, was cookie pop-ups were designed in such a way as to make declining consent just hard enough that few would bother.
Ten years later, the jig is up. The ICO, while continuing to enforce the rules, admits most implementations produce the opposite of their intended outcome. Confused or bored by deliberately opaque cookie settings, most take the path of least resistance and give up more personal data than they would like.
The ICO now wants users to be able to set tracking preferences in the browser. In this sense, they’re a day late and a dollar short. Use of ad- and tracker-blocking browsers like Brave has been growing for years (PageFair estimated a 64% increase between 2016 and 2019). Cross-site tracking prevention introduced t0 Safari (over 18% of market share at time of writing) in 2020, blocks 3rd-party cookies and limits some device fingerprinting.
You can, of course go further. Personally, I take a belt-and-braces approach by also running a DNS sinkhole on my home network. DNS queries from my router are pointed to an instance of Adguard Home running in Docker on my NAS. That silently shuts down virtually any request to do with analytics, advertising, or social media. Upstream DNS comes from the security-focused Quad9, which also filters out various threats. A browser plugin can then quietly strip out the cookie pop-ups
Odd, then, that the ICO’s announcement reads as though they are completely unaware that market forces have already begun to solve the problem. Indeed their “vision of the future” sounds suspiciously like the present, “where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing”.