CookieLaw Blog August 14, 2012

Consent, Choice and Online Privacy

We have already seen over the last few months how difficult it can be to relate the word of law to the practical reality of life online.

There can be little doubt that the way many website owners have chosen to comply with the changes in the law on cookies, at least in the UK, is a long way from what was almost certainly originally intended by the law makers themselves.

It is no surprise really that without more obvious regulatory or consumer pressure, website owners did not want to make significant changes.  We may never know how much lobbying by big data companies had an influence in last minute changes to guidance, but we can be sure that such lobbying went on.

So we have notices that people don’t read, and links to sites about deleting cookies with clumsy browser settings, and the reality is consumers are no more protected than they were before from having masses of data being collected about them without their knowledge.  Much of which is sold on, re-processed, and served back to them in the form of targeted advertising.

I think to understand why this could happen – you have to go back to the law itself – and in particular the gaps in it.  There has been much talked about the issue of consent and whether it need be explicit or obtained prior to processing or not. This was always a crucial issue because it is the neeed for consent that drives requirements for disclosure about the data being processed, so that people can be assumed to be sufficiently informed for their consent to become valid – you cannot in law consent to something you do not understand, or have not been given sufficient opportunity to understand.

However by focussing so exclusively on consent, what gets lost is the idea of choice.  On most sites that have ‘complied’, people are not being given any choice except the starkest – to continue or leave.  Yes, they can change their cookie settings in their browser, but this effects all sites not just the current one.  Also, depending on the settings one chooses – the browser controls can fail to block the activity you want to prevent, or stop some functionality that you would like to have.

Visitor choice, especially dynamic and adaptive choice, should be at the heart of the drive for protecting online privacy.  Without choice, consent is a meaningless concept.

Why don’t people read Ts&Cs on software and web apps?  It may be because they can’t be bothered (some of them are longer than Shakespearean plays, and harder to understand), but it is also largely because in many cases they have no choice.  If you need that software, app, or the use of particular online services – then you have to accept the terms of use.

It’s the same with sites that say ‘by continuing, you are giving your consent’ – the choice being presented is both empty, and more often than not removed before you have a chance to evaluate what kind of choice you want to make.

And yet choice has to be key to both a real increase in privacy, and the perception from visitors that their privacy is respected. 

We have seen recently that giving people choice increases trust, and if people trust you, they are more likely to allow you to collect data about them.  Of course it is also true that increased trust results in increased business.

At the same time, the exercise of choice is also an act of giving consent – as long as it is made clear from the start of the online relationship what the options and consequences are.

I hope that the people working on and contributing to the new EU data protection framework can learn from the experience of the cookie law, and switch their prime focus away from arguments about the meaning of and mechanisms for consent – and instead promote a requirement for privacy choices.  Ideally choices that can be made, changed, and unmade depending on the services on offer, and who is providing them.

Sadly, reading the recently leaked feedback from EU member states – I fear this opportunity might be lost.

Recent Posts


January 13, 2017
Future of EU Cookie Compliance Webinar: ...

GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...

View Article
Recent blog thumbnail
December 14, 2016
Draft EU ePrivacy Regulation Leaked...

A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the Politico.eu (PDF) website this week. The proposal is fo...

View Article
Recent blog thumbnail
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...

Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...

View Article
Recent blog thumbnail
September 21, 2016
Optanon Acquired by OneTrust...

We are pleased to announce that Optanon, along with parent company Governor Technology, has been acquired by OneTrust....

View Article

Be in the Know

Subscribe to our newsletter

Onetrust All Rights Reserved