UK wants to replace cookie pop-ups with browser-based opt-outs

The U.K. government has published its final response to a data ‘reform’ consultation it kicked off last year, laying out how it intends to diverge from EU-based data protection rules.

At first pass, it looks like it has stepped away from some of the more extreme ‘reforms’ it had been tossing around — such as removing the right for human review of automated/AI decisions; which the consultation admits was opposed by the “vast majority” of respondents (ergo, the government writes that it “recognises the importance of appropriate safeguards, and will not pursue this proposal”; although it says it’s still considering how to amend Article 22 of the U.K. GDPR — so watch that space).

That said, there are still a lot of potentially wide-ranging amendments being announced in this package — such as a switch to an opt-out model for most online tracking; which the government is spinning as an end to cookie consent pop-ups but which raises plenty of wider questions — and changes to the U.K.’s data protection regulator that could still sum to substantial differences for the rights of citizens, businesses and other types of data processors operating in the country.

There’s plenty more incoming from the U.K. government on the digital policy front too — such as the sprawling Online Safety Bill, which is currently making its way through parliament, and is set to dramatically ramp up compliance demands for all sorts of businesses. So it pays to keep the wider picture in mind as the government spins its pitch of post-Brexit, rebooted data laws that will give British business a “boost” by cutting EU ‘red tape’.

tl;dr plenty of uniquely British red tape is also incoming for your digital operations.

Data Reform Bill

Top line changes the government says it’s moving forward on via the forthcoming Data Reform Bill include amendments to rules around data use for scientific research — which it says will simplify the legal requirements for this sort of processing. (Although the example cited in the departmental press release refers to a machine learning medical research project that’s been undertaken under existing U.K. data rules so 🤷‍♀️.)

“The Data Reform Bill will more clearly define the scope of scientific research and give scientists clarity about when they can obtain user consent to collect or use data for broad research purposes,” writes the Department for Digital, Media, Culture and Sport (DCMS) in its press release. “This removes the need for them to have the ultimate purpose of their research project finalised before collecting data. For example, scientists will be able to rely on the consent a person has given for their data to be used for ‘cancer research’ as opposed to a particular cancer study.”

The government also says it will enact a number of changes around how businesses can use personal data — including removing the need for smaller entities to have a data protection officer (DPO), or to undertake data impact assessments to evaluate risks to potential uses for personal data.

DCMS is projecting savings of more than £1 billion for businesses over ten years as a result of these deregulatory changes to the U.K.’s data protection regime.

It argues the (current) EU framework the U.K. adopted in 2018, when it transposed the bloc’s General Data Protection Regulation (GDPR) into national law, is hamstrung by being “largely one-size-fits all” — which it suggests is especially disadvantageous for small businesses, including startups and scaleups. Hence the reform talks about moving to “an outcomes-based compliance regime for data rights”.

“The government’s new data protection rules will be focused on outcomes to reduce unnecessary burdens on businesses,” says DCMS, dialling up the spin.

“Organisations will still be required to have a privacy management programme to ensure they are accountable for how they process personal data. The same high data protection standards will remain but organisations will have more flexibility to determine how they meet these standards.”

Ofc the devil will be in the detail of what these reforms boil down in practice. And we don’t yet have full detail as that would require sight of the planned legislation which remains pending the government publishing a draft bill. (The government has previously confirmed it will introduce the data reform bill in the current parliamentary session.)

On the planned changes to consent for cookies — which target the universally hated cookie pop-up plague — the response to the consultation sets out a phased ‘reform’ plan; starting with legislating to remove the need for websites to display cookie banners to U.K. residents by permitting cookies (and similar tracking technologies) to be placed on a user’s device without explicit consent “for a small number of other non-intrusive purposes” — whatever that phasing means (an earlier reference in the document talks about scrapping consent to drop cookies for audience measurement purposes, or for detecting faults on an organisation’s website).

But there’s more: “In the future, the government intends to move to an opt-out model of consent for cookies placed by websites. In practice, this would mean cookies could be set without seeking consent but the website must give the web user clear information about how to opt out,” continues the consultation response. “This would allow the government to realise its ambition to improve the user experience and remove the need for unnecessary cookie consent banners. The opt-out model would not apply to websites likely to be accessed by children.”

The government’s — let’s politely call it — ambitious plan here is to convince web browsers and websites to finally make a browser-based ‘do-not-track’ signal fly.

“Responses to the government’s consultation highlighted that users value privacy and want control over how their personal data is used. To address this, the government will work with industry and the regulator on browser-based and similar solutions that will help people manage their cookie and opt-out preferences,” it writes. “The government will take forward proposals that require websites to respect automated signals emitted by these technologies — and will move to an opt-out model of consent for cookies only when the government assesses these solutions are widely available for use.”

DCMS suggests that legislative changes to fully switch the U.K. to an opt-out for online tracking won’t take place until the necessary browser-based “technology” is “effective and readily available so people can set their online cookie preferences to opt out via automated means”.

It doesn’t given any timeframe for when that might be possible but it pays to remember that the original ‘Do Not Track‘ proposal, to offer a convenient, browser-based opt-out from online tracking, dates back to 2009 yet still hasn’t delivered on the dream — thanks to, er, lack of industry support.

Still, the U.K. government is confident that British exceptionalism can finally make it happen for its small island Internet. So full marks for enthusiasm.

Another chunk of the reform is focused on changes to the Information Commission’s Office (ICO), aka the U.K.’s data protection regulator.

Here DCMS’ press release couches the plan as a “modernization” of the Office — such as by adding a chair, chief executive and a board to “make sure it remains an internationally renowned regulator”.

But the government is also planning to require that the Secretary of State approve ICO statutory codes and guidance before they are presented to parliament — and as U.K. policy watchers have quickly pointed out, having a political appointee shape ICO policy doesn’t sound very independent from government… (See also: the Open Rights Group‘s response — which predicts this portion of the bill will “codify cronyism into law”.)

The first big test for the U.K.’s data reform package probably won’t be public opinion — given that data processing is an inherently wonky, complex and abstract topic, and the government is front-loading its PR around the bill with populist talk of killing cookie pop-ups and — in another announcement — cracking down on nuisance calls (by ramping up fines).

No, the big test will be what the EU will do in response. And whether or not what the government is spinning as “Brexit benefits” will result in the U.K. losing its precarious “adequacy” status — which is critical for scores of businesses as it allows the smooth in-flow of personal data from the bloc. And would cost U.K. businesses a lot more than £1BN if it were to be cast into the Brexit abyss.

Just the pure compliance costs of a loss of EU adequacy have been estimated at between £1BN and £1.6BN — so, best case scenario, that potential outcome would immediately gobble up all the ‘red tape’ savings DCMS has attached to the reforms.

The government may be — tacitly — anticipating such an outcome as the reform also talks about “empowering international trade” by striking new “data partnerships”, with priority countries listed as including the United States, Australia, the Republic of Korea and Singapore (only one of which, Korea, has an EU data adequacy agreement).

“The data reforms will support the U.K. government’s ambitions to strike new data partnerships with important economies and improve international data transfers which a number of technologies rely on, such as GPS navigation, smart home technology and content streaming services,” it writes. “The government’s International Data Transfer Expert Council, made up of global experts on data, will play a major role helping the U.K. unlock the benefits of free and secure cross-border data flows.

“The group, which combines world-leading academics, organisations such as the World Economic Forum and the Future of Privacy Forum alongside digital industry figures including Google, Mastercard and Microsoft, will be empowered to remove barriers to data flows and ensure services from smart devices to online banking can be provided more reliably, cheaply and securely.”

Another chunk of the reform is focused on public sector data use and sharing — with the government planning to clarify rules on police use of biometric data, saying it will work with policing authorities to “promote high standards and best practice in the responsible and effective use of new technologies, including supporting the development of policing-led guidance such as new codes of conduct”.

However it has decided not to move forward at this time on boosting algorithmic transparency across the public sector, generally — despite the majority of responses to the government consultation backing a proposal to introduce compulsory transparency reporting on the use of algorithms in decision-making for public sector bodies; and despite the government acknowledging that “increasing transparency of the use of algorithmic tools for decision-making in the public sector is critical for maintaining public trust”; and also despite a UN warning — back in 2018 — over the human rights risks of the Tories’ rush to implement an ‘algorithmic welfare state’.

Why is the government not doing anything on this critical issue? DCMS claims algorithmic transparency standard work is at too “early” a stage to legislate on transparency reporting. But it says it will continue pilots of the standard and gather feedback, claiming that it’s “strongly committed to algorithmic transparency” and will “explore policy enforcement options in the future”.

Commenting on the data reform package in a statement, digital secretary Nadine Dorries said:

Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower. Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.

Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation.

In another supporting statement, John Edwards, the U.K.’s information commissioner, gave a rather more cautious assessment of what the reforms will mean in practice — writing:

I share and support the ambition of these reforms. I am pleased to see the government has taken our concerns about independence on board. Data protection law needs to give people confidence to share their information to use the products and services that power our economy and society. The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.

“We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.

This report was updated with a link to the Open Rights Group’s response to the government’s plans for ‘reforming’ the ICO