Europe needs to back browser-level controls to fix cookie consent nightmares, says privacy group

European privacy group noyb, which recently kicked off a major campaign targeting rampant abuse of the region’s cookie consent rules, has followed up by publishing a technical proposal for an automated browser-level signal it believes could go even further to tackle the friction generated by endless “your data choices” pop-ups.

Its proposal is for an automated signal layer that would enable users to configure advanced consent choices — such as only being asked to allow cookies if they frequently visit a website; or being able to whitelist lists of sites for consent (if, for example, they want to support quality journalism by allowing their data to be used for ads in those specific cases).

The approach would offer a route to circumvent the user experience nightmare flowing from all the dark pattern design that’s made cookie consent collection so cynical, confusing and tedious — by simply automating the yeses and noes, thereby keeping interruptions to a user-defined minimum.

In the European Union cookie consent banners mushroomed in the wake of a 2018 update to the bloc’s privacy rules (GDPR) — especially on websites that rely on targeted advertising to generate revenue. And in recent years it has not been unusual to find cookie pop-ups that contain a labyrinthine hell of opacity — culminating (if you don’t just click “agree”) — to vast menus of “trusted partners” all after your data. Some of which are pre-set to share information and require the user to individually toggle each and every one off.

Such stuff is a mockery of compliance, rather than the truly simple choice envisaged by the law. So noyb’s earlier campaign is focused on filing scores of complaints against sites it believes aren’t complying with requirements to provide users with a clear and free choice to say no to their data being used for ads (and it’s applying a little automation tech there too to help scale up the number of complaints it can file).

Its follow-up here — showing how an advanced control layer that signals user choices in the background could work — shares the same basic approach as the “Do Not Track” proposals originally proposed for baking into web browsers all the way back in 2009 but which failed to get industry buy-in. There has also been a more recent U.S.-based push to revive the idea of browser-level privacy control — buoyed by California’s California Consumer Privacy Act (CCPA), which took effect at the start of last year, and includes a requirement that businesses respect user opt-out preferences via a signal from their browser.

However, noyb’s version of browser-level privacy control seeks to go further by enabling more granular controls — which it says is necessary to better mesh with the EU’s nuanced legal framework around data protection.

It points out that Article 21(5) of the GDPR already allows for automatic signals from the browser to inform websites in the background whether a user is consenting to data processing or not.

The ePrivacy Regulation proposal, a much delayed reform of the bloc’s rules around electronic privacy, has also included such a provision.

However, noyb says development to establish such a signal hasn’t happened yet — suggesting that cynically manipulative consent management platforms may well have been hampering privacy-focused innovation.

But it also sees a chance for the necessary momentum to build behind the idea.

For example, it points to how Apple has recently been dialling up the notification and control it offers users of its mobile platform, iOS, to allow people to both know which third-party apps want to track them and allow or deny access to their data — including giving users a super simple “deny all third-party tracking” option backed into iOS’ settings.

So, why should internet users who happen to be browsing on a desktop device not have a set of similarly advanced privacy controls too?

EU lawmakers are also still debating the ePrivacy Regulation reform — which deals centrally with cookies — so the campaign group wants to demonstrate how automated control tech could be a key piece of the answer to so-called “cookie consent fatigue”; by giving users a modern toolset to shrink consent friction without compromising their ability to control what happens with their data.

In order to work as intended automated signals would need to be legally binding (to prevent adtech companies just ignoring them) — and having a clear legal basis set out in the ePrivacy Regulation is one way that could happen within fairly short order.

The chance at least is there.

There have been concerns that the ePrivacy reform — which was stalled for years — could end up weakening the EU’s data protection framework in the face of massive adtech industry lobbying. And the negotiation process to reach a final text remains ongoing. So it’s still not clear where it’s going to end up.

But, earlier this year, the European Council agreed its negotiating mandate with the other EU institutions. And, on cookies, the Council said they want companies to find ways to reduce “cookie consent fatigue” among users — such as by whitelisting types of cookies/providers in their browser settings. So there is at least a potential path to legislate for an effective browser-level control layer in Europe.

For now, noyb has published a prototype and a technology specification for what it’s calling the ADPC (aka Advanced Data Protection Control). The work on the framework has been carried out by noyb working with the Sustainable Computing Lab at the Vienna University of Economics and Business.

The proposal envisages web pages sending privacy requests in a machine-readable way and the ADPC allowing the response to be transmitted using header signals or via JavaScript. Noyb likens the intelligent management of queries and automatic responses such a system could support to an email spam filter.

Commenting in a statement, chairman Max Schrems said: “For Europe, we need more than just an ‘opt-out’ so that it fits into our legal framework. That’s why we call the prototype ‘Advanced’ Data Protection Control, because it’s much more flexible and specific than previous approaches.

“ADPC allows intelligent management of privacy requests. A user could say, for example, ‘please ask me only after I’ve been to the site several times’ or ‘ask me again after 3 months.’ It is also possible to answer similar requests centrally. ADPC thus allows the flood of data requests to be managed in a meaningful way.

“With ADPC, we also want to show the European legislator that such a signal is feasible and brings advantages for all sides,” he added. “We hope that the negotiators of the member states and the European Parliament will ensure a solid legal basis here, which could be applicable law in a short time. What California has done already, the EU should be able to do as well.”

The Commission has been contacted for comment on noyb’s ADPC. Update: A Commission official told us it’s currently assessing the proposal made by noyb, adding that one of the objectives of the ePrivacy Regulation is to reduce the number of requests for cookie consent, to make them less burdensome, and to avoid the phenomenon of ‘consent fatigue’. 

The official also said it’s important to address this issue in a way that respects the end-user’s control of the equipment, adding that the Commission is also looking into additional suggestions presented by stakeholders and experts.

While there are wider industry shifts afoot to depreciate tracking cookies altogether — with Google proposing to replace current adtech infrastructure supported by Chrome with an alternative stack of (it claims) more privacy respecting alternatives (aka its Privacy Sandbox) — there’s still plenty of uncertainty over what will ultimately happen to third-party cookies.

Google’s move to end support for tracking cookies is being closely scrutinized by regional antitrust regulators. And just last week the U.K.’s Competition and Markets Authority (CMA), which is investigating a number of complaints about the plan, said it’s minded to accept concessions from Google that would mean the regulator could order it not to switch off tracking cookies.

Moreover, even if tracking cookies do finally crumble there is still the question of what exactly they get replaced with — and how alternative adtech infrastructure could impact user privacy?

Google’s so-called “Privacy Sandbox” proposal to target ads at cohorts of users (based on bucketed “interests” its technology will assign them via on-device analysis of their browsing habits) has raised fresh concerns about the risks of exploitative and predatory advertising. So it may be no less important for users to have meaningful browser-level controls over their privacy choices in the future — even if the tracking cookie itself goes away.

A browser-level signal could offer a way for a web user to say “no” to being stuck in an “interest bucket” for ad targeting purposes, for example — signalling that they prefer to see only contextual ads instead, say.

tl;dr: The issue of consent does not only affect cookies — and it’s telling that Google has avoided running the first trials of its replacement tech for tracking cookies (FLoCs, or federated learning of cohorts) in Europe.