Multiple data privacy advocates have criticised plans in the UK to replace cookie consent pop-ups with an “opt-out model”, which they believe will do more damage than good.
In an email exchange with TechRadar Pro, Jon Callas of the Electronic Frontier Foundation described the plans as inherently flawed. “A good privacy regime needs to revolve around opting-in, rather than opting out,” he said. “The responsible thing is to ask, to get permission from someone before they are surveilled.”
These concerns were echoed by a spokesperson from privacy software company Brave, who acknowledged that the current system needs reform, but warned the new proposals will remove an important safety net. “This may lead to users being opted-in to privacy-eroding practices. We believe the proposals are likely to lead to more tracking and privacy harms, not less,” they told us.
UK data collection reform
The UK government announced plans earlier this week to replace cookie consent pop-ups with a new system that it hopes will improve the user experience while preserving the ability to shield against invasions of privacy.
Under these new plans, website owners will be able to deploy cookies without seeking express consent from visitors, but only “non-intrusive” varieties that do not facilitate the “micro-targeting of advertisements”.
Cookie consent banners will be replaced with what the government describes as an “opt-out model for consent”, whereby web users define their data collection preferences in advance via new “browser-based solutions”.
“We want to create a framework which empowers citizens through the responsible use of personal data. Our reforms will give individuals greater clarity over their rights and a clearer sense of how to determine access to and benefit from their own data,” the report explained.
However, both the EFF and Brave have criticised multiple facets of the proposal. Callas, for example, takes issue with the characterization of some cookies as necessary and others as not; there should be no such thing as an unnecessary cookie, he argues, and certainly not one that is deployed without express permission.
“Part of the issue is brought up in the government website itself, [which] has on it a pop-up that has an opt-out for unnecessary cookies. If they’re unnecessary, then they shouldn’t be used,” he said.
“This is why I think it should be opt-in, rather than opt-out…If [cookies] benefit someone who isn’t us, I think they should get our permission first.”
Brave, meanwhile, is concerned with the limited scope of the reform, which appears to treat cookies as the exclusive means by which companies collect web activity data.
“Privacy harms of online tracking are not limited to cookies so we would wish to understand what the government and the regulator propose, especially with regards to a browser-based signal,” the company said.
“We would welcome the latter so long as there was clear and precise agreement on the default setting for the signal and its specific purpose and how it will be enforced in law. We recall the unfortunate failure of Do Not Track (DNT) signal.”
The position of lawmakers is an unenviable one, caught in a bind by the need to balance the usability of the web, interests of businesses and consumer rights. However, it would appear the latest reform proposals raise as many questions as they answer.
TechRadar Pro has asked the Department for Digital, Culture, Media and Sports (DCMS) for a response to these concerns.