back to article UK's cookie crumble: Data watchdog serves up tougher recipe for consent banners

The UK's Information Commissioner's Office (ICO) is getting tough on website design, insisting that opting out of cookies must be as simple as opting in. At question are advertising cookies, where users should be able to "Accept All" advertising cookies or reject them. Users will still see adverts regardless of their selection …

  1. John Robson Silver badge

    .

    I'll not hold my breath

    1. b0llchit Silver badge
      Coat

      Re: .

      Where is that blue icon when you need it?

      Oh sorry, you're still breathing, red icon, I mean, of course.

      --> Green icon, for RGB completeness.

  2. Anonymous Coward
    Anonymous Coward

    I would like to hope that it would contributes something to improve the current insanity of 'legitimate interest' cookies. If they're truly legitimate then it should be trivial to turn them off rather than the song and dance you have to go through finding all of them...

    1. OhForF' Silver badge
      Headmaster

      If they are truly "legitimate interest" they don't need our consent to use them and it would be good enough to inform us what they store and the purpose they are using it for. Anything that needs consent is not leigtiamte interest.

      1. monty75

        That’s the point. By claiming legitimate interest they make them opt-out which is the opposite of what they’re supposed to be.

  3. Tubz Silver badge

    See what happens at The Daily Mail, in my opinion one of the worst to use the UI of one button to accept all, or separate pages of sliders to individually reject each advertising partner and there is a lot of them wishing to track you. ICO is right, if you can do a button to accept all, you can do one for reject all and reject should always be the default option.

    1. captain veg Silver badge

      too many words

      See what happens at The Daily Mail, in my opinion one of the worst.

      You can leave it at that.

      -A.

    2. Greybearded old scrote

      The mobile vesion of TVTropes is a shocker too. I don't see the consent form on my desktop somehow.

    3. Mike 137 Silver badge

      " reject should always be the default option"

      Indeed it should. I've made this point several times to the relevant govt. committees and been ignored every time. The whole issue of cookie banners has an entirely wrong emphasis. Often, intrusive banners are used to block access to content until a decision has been obtained, with the default being all cookies accepted. That's not offering choice, it's coercion pure and simple. The law does not require banners -- indeed the law requires that there should be no loss of service relating to cookie acceptance or not (and by inference that means relating to the choice process itself). But the regulator just ignores this aspect of the problem.

      The ideal situation would be no cookies by default and a reasonably sized non-intrusive option button or link for use by those who might want to accept. But that will of course never come about because practically nobody would accept if given a fair choice. And by the way, the law does not apply solely and literally to cookies -- it applies to all tracking devices and methods but we never get given the option to accept or reject javascript trackers for example, although they can be far more intrusive than cookies, and many web sites fail to operate at all if scripting is turned off, thereby effectively forcing us to accept being tracked. Yet another thing the regulator has failed to act upon.

  4. Greybearded old scrote
    Thumb Up

    About time too

    Has the ICO just aquired a new boss or something? One who knows where their gonads are?

    To me there is no excuse for any more than a session cookie if you are logged in.

    Then let's remember that GDPR is about tracking, not just cookies. How do we detect and punish the passive tracking?

    1. Pete Sdev

      Re: About time too

      Somewhat ironically, you need to set a cookie to know that the visitor has given their cookie preferences, even if that's none non-essential.

      1. OhForF' Silver badge

        Re: About time too

        Using that logic the way to comply is to only set a consent cookie after the visitor has opted in to non functional cookies and not set any other non-essential cookies if that cookie is not present.

    2. Mike 137 Silver badge

      Re: About time too

      "Then let's remember that GDPR is about tracking

      Actually it's PECR (the privacy and e-commerce regulations). The GDPR is silent on online tracking.

  5. alain williams Silver badge

    Next should be non consentual email

    I am pissed off at my bank, Nat West, they keep on sending me spam. The latest "Alain fancy winning £10,000 this holiday season? T&Cs apply".

    They need to have my email address. I never, as far as I am aware, agreed to receive this stuff, I have replied asking them to stop sending it.

    I wonder if the ICO would do anything about this ?

    1. Stratman

      Re: Next should be non consentual email

      They need to have my email address. I never, as far as I am aware, agreed to receive this stuff, I have replied asking them to stop sending it.

      I wonder if the ICO would do anything about this ?

      Have you tried asking it?

    2. elsergiovolador Silver badge

      Re: Next should be non consentual email

      Most likely they will tell you to switch the bank...

    3. AndrueC Silver badge
      Stop

      Re: Next should be non consentual email

      I am pissed off at my bank, Nat West, they keep on sending me spam.

      How do you know it's actually them? It is trivially easy to fake emails. If it really is them then GDPR means that there has to be a way for you to opt out of it. Check their website for contact preferences. If you have told them you don't want marketing related emails and they are still sending them then you need to start threatening them with GDPR.

      1. alain williams Silver badge

        Re: Next should be non consentual email

        How do you know it's actually them? It is trivially easy to fake emails.

        It is them, I checked the headers & IP addresses.

    4. Happy_Jack

      Re: Next should be non consentual email

      There is no bank called Nat West, so it must be a scam. There is a similar sounding bank called NatWest. These differences are important if you want to be safe online.

    5. Ian 55

      Re: Next should be non consentual email

      I left NatWest after their IT failed around 2012 and customers' payments were missing for a couple of days. I was glad I had when they had similar problems again and again.

      I recently took the £200 bribe to try them again, and it quickly became clear that £200 wasn't enough in exchange for the pain. The NatWest experience was bad and it's now *terrible*.

      Ditch them.

      First Direct's phone service is great and they'll bribe you to switch. Starling's app is great and they do not need to bribe people to switch. Other banks exist.

  6. MJI Silver badge

    Adverts on sites are so easy

    Tailor them for the site, not the user.

    They do not need to know the user, just that an advert is relevent to the site.

    eg Hifi site - turntables

    Food lover site - high end ingredients

    Car site - tyres

    Just do that no problems.

    1. captain veg Silver badge

      Re: Adverts on sites are so easy

      Tracking lets them see that you've been to one of those specialist sites and then show you adverts somewhere that's cheaper.

      -A.

    2. Greybearded old scrote

      Re: Adverts on sites are so easy

      Yes, and a few years ago it was found to bring in more income. The ad duopoly are taking 51% of the advertising fee after all.

      Hey ElReg, fancy having a stab at doubling your profit?

      1. katrinab Silver badge
        WTF?

        Re: Adverts on sites are so easy

        Traditional TV and newspaper ads brought in way more money, and there was no possibility of viewer / reader tracking there

        1. captain veg Silver badge

          Re: Adverts on sites are so easy

          Additionally, and not coincidentally, the publishers had to insert the ads themselves. This gave an opportunity to ensure minimum production values and that the content fitted editorially.

          Online advertising, as currently construed, gives precisely zero control to the publisher over what is embedded in their publications. Can you tell?

          Publishers should go back to selling ad space themselves. They should serve it themselves, and assume responsibility for it. In return they can take back control over their ratecards.

          -A.

        2. JulieM Silver badge

          Re: Adverts on sites are so easy

          Also, when you see an advert in a newspaper or on TV, everybody really is seeing the same advert.

          When you see an advert on the Internet, other people looking at the same website with the same non-advertising content probably are seeing different adverts. And if your racist uncle sees some sentiment being expressed in an advertisement that he would have expected to make the usual suspects scream blue murder, yet they do not seem to be complaining about it, that might not be because it's socially-acceptable after all, but because the advert was deliberately targeted away from anyone the advertisers think might be likely to complain about it .....

  7. Fazal Majid

    Global Provacy Control

    Global Privacy Control (GPC) is essentially the old Do-Not-Track header, only this time wiht force of law. It is already mandatory in California, and the EU is considering it. One browser setting to automatically reject all cookie banners. The UK should also endorse this. Of course this does not preclude enforcement against dark patterns like not having a "Reject All" button as prominent as the "Accept All" one, or making unsubscribing harder than joining.

  8. JulieM Silver badge

    Legitimate Interest

    "Legitimate interest" is the worst, especially when they default to "on" and there is no "object to all" function, but this method usually works to turn them all off:

    Open developer tools (command+option+I on Mac, f12 on Linux and Windows) and select Console.

    Type the following at the console prompt (NB, capitalisation-sensitive):

    Z=document.getElementsByTagName("input")

    (it should say something like "HTMLCollection" and a list of input elements)

    for (i=0;i<Z.length;++i) Z[i].checked=false

    (all the switches shown on screen should turn off)

    Save your preferences and close the developer tools.

    1. OhForF' Silver badge

      Re: Legitimate Interest

      My usual reaction to those sites with > 5 "legitimate interest" (partner) tracking choices defaulting to opt-in is to leave the site for good.

      Even though it would not make much difference as my browser is set up to only keep cookies for the session duration and clean all of them when i close the browser.

    2. b0llchit Silver badge
      Devil

      Re: Legitimate Interest

      But it says in the dialog:

      • A sites: No, you will not be not tracked when not checked on the check.
      • B sites: No, you will not be not tracked when check not checked.
      • C sites: No, you will not be tracked when not check is not checked not.
      • D sites: No, you will not be not tracked not when you not check not checked.
      • E sites: Yes, you will not be not tracked when you don't ask and don't tell.

      What do I check and not check? It is legitimately interesting tracking you. Don't you not think so too?

      1. JulieM Silver badge

        Re: Legitimate Interest

        Honestly, if you have sufficiently powerful hardware, it's probably best just to spin up a whole brand new, disposable VM every day, and create a new user for any site you really don't trust.

        It all feels more than a little bit like keeping rice from sticking by cooking each grain in a separate pot; but you really don't know what's going on out there, and it's probably better safe than sorry.

  9. Anonymous Coward
    Anonymous Coward

    30 days to get compliant with tracking rules or face enforcement action

    i.e. writing a letter to tell them about enforcement action.

    1. Johnb89

      Re: 30 days to get compliant with tracking rules or face enforcement action

      Hey, that's a Strongly Worded Letter, if you don't mind. And if that doesn't work, the threat of a Very Strongly Worded Letter.

      1. Arthur the cat Silver badge
        Devil

        Re: 30 days to get compliant with tracking rules or face enforcement action

        Hey, that's a Strongly Worded Letter, if you don't mind. And if that doesn't work, the threat of a Very Strongly Worded Letter.

        The only way to make it count is to ensure the board has skin in the game. If the Strongly Worded Letter doesn't work, follow it up with ninja assassins to take out the entire board. A couple of firms suffering decapitation strikes(*) would encourage the others(**) wonderfully.

        (*) Literally as well as figuratively :-)

        (**) Thank you, M. François-Marie Arouet.

        1. Ian 55

          Re: 30 days to get compliant with tracking rules or face enforcement action

          In the 19th C, Punch suggested that a rash of insurance companies failing could be stopped by announcing that all the directors of the next one to fail would be hanged.

          Worth trying, once updated a bit.

  10. ChipsforBreakfast

    It's all in the browser

    Cookies can be tamed in the browser, if the browser makers decide to. Some are clearly more likely to do that than others - the big players won't do anything that hurts their ad revenue (Apple, Google, Microsoft I'm looking at you here!) but it's perfectly possible.

    Waterfox does a pretty good job of it out of the box, firefox can be configured to do it fairly easily too. Increasingly users are getting fed up of being seen as the product and are turning more & more to technical countermeasures to take back control of their personal data - just look at the number of people using ad-blockers now.

    Advertisers & data brokers are driving this - they seem to have completely failed to understand that consumers simply DO NOT WANT to be tracked, analyzed, catalogued and fed a curated diet of crap to inflate corporate profits. They miss the point that what I'm looking for now is NOT what I want to see in adverts several hours later - by then there's a damn good chance I'll have found it & bought it so their profiling is worse that useless, it's actually annoying. Annoying enough that I, and many more, are reacting to it negatively and in at least some cases coming away with a negative view of the brands involved.

    When brands go to war with their customers the brand always loses.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's all in the browser

      what I'm looking for now is NOT what I want to see in adverts several hours later

      Exactly, once I have bought my H-bomb I don't need to see adverts for it later on.

      (I only expect that it is not delivered by plane)

  11. The commentard formerly known as Mister_C Silver badge
    FAIL

    Oh, the irony

    I've got a banner showing on my screen that says "Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law." It has a button to "Accept All Cookies" and another to "Customize Settings". The latter leads to a banner that has all but Necessary unchecked and an "Accept Selected" button. Opting out requires TWO CLICKS and two screens, opting in only requires one click. I know the cookie issue for the site in question has been commented on before on this site because I loved the irony then just as I love the irony now.

    Anybody care to take a guess at the formerly British now American tech news website I'm referring to?

    1. captain veg Silver badge

      Re: Oh, the irony

      Another irony is that, because I configured my browser to chuck away all cookies on session end, I have to perform this malarkey every day.

      -A.

  12. David-M

    'No' to cookie requests!

    I don't want to have to click to reply about cookies for every single site I visit. It destroys the web.

    Just give us some detailed browser settings that the website interrogates and then follows in 99% of cases.

    Anyone with illegitimate intentions is going to ignore what we want anyway.

    d

  13. Anonymous Coward
    Anonymous Coward

    The “FO” option

    One switch to purge them all.

  14. Big_Boomer

    TANSTAAFL

    The bottom line of this is money. You want a free access website, so the site deploys adverts to earn enough to provide that "free" access and to make a profit. The advertisers want to know if their adverts are effective (value for money) on the site so they want ways of finding out how many of your sites users have bought or considered buying their product. This requires some form of tracking as otherwise there would be no way of knowing if their advert spend was worth the effort. The alternative is pretty bad as advertisers will either stop advertising on a site or else reduce their spend there if they don't think they are getting value for money. Over time that tracking got used for other purposes like targeted advertising. I've never been a fan of advertising or tracking and the attitude (greed) of some sites and advertisers makes me avoid them like the plague, but beware of what you wish for as when enough people block all ads those "free" sites are soon going to disappear. Yes, you have a right to privacy but the site you are accessing has a right to earn an income and that money has to come from somewhere.

    1. Ian 55

      Re: TANSTAAFL

      The problem is that the stats are usually completely wrong because of things like click fraud.

      When I used to buy advertising, I could call the print publications I wanted to advertise in, negotiate a good price and be sure that they shifted so many print copies of something I knew my targets would read and the ad would appear in just the pages they would look at.

      If I bought advertising online now, I'd doubtless..

      .. end up next to something praising Hitler on Twitter

      .. pay for something 'seen' by the webspider bots of a Chinese search engine company

      .. encourage a site whose owner doesn't have 'enabling genocide' as one of his biggest regrets, despite having done just that

      .. be blocked by anyone with a clue.

  15. jdiebdhidbsusbvwbsidnsoskebid Silver badge

    Why 30 days?

    Why give them more time to come into line with the law they have been breaking for years already? Just prosecute now.

    If you confront a serial offender, it doesn't seem right to say "you've got 30 days to stop or we'll prosecute"

    I can only assume there is some legal hoop they (the ICO) have to jump through by giving notice.

  16. me_and

    Oh dear

    El Reg isn't exactly a beacon of shining light here. Two buttons: I can "Accept All Cookies", or, if I want "more info and to customizer [my] settings, there's a different button for that.

    Granted the additional settings aren't a maze of millions of sliders, but it's still actively more difficult to opt out than opt in.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like