The UK’s Data Protection Chief, Elizabeth Denham, recently announced ICO plans for browser-level privacy controls to tackle ‘cookie fatigue’ from countless cookie pop-ups in countries where online tracking needs to be actively consented to by a user. At a meeting with the G7's data protection and privacy authorities, Denham urged them to work together on this ‘idea’ for a greater impact.

Elizabeth Denham said in the watchdog’s press release: “I often hear people say they are tired of having to engage with so many cookie pop-ups. That fatigue is leading to people giving more personal data than they would like. The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.”

Generally, one would think that this is a great initiative by the ICO and met with rejoicing by the public, but the actual reaction was far from it and data privacy advocates as well as various pages such as TechCrunch responded with criticism. While there is also just a lot of noise making, the main critique boils down to the ICO’s (and other authorities’) failure of enforcement around cookie consent breaches. It’s still the wild west where everyone is doing essentially what they want.

Companies keep using cookie banners that don’t comply with the PECR and GDPR requirements. The fact that the ICO suggests the G7 to “work together” to find a more user-centric solution to manage privacy settings is for many a joke, and the wrong issue to focus on, as it won’t change anything if companies don’t comply with it in the first place.

A TechCrunch article is letting critique rain on the ICO and the GDPR, while some of it is good to get an overview on what is happening in the cookie consent world and beyond, it’s better to read it with a pinch of salt. Some of the allegations seem a bit farfetched, such as the assumption that Denham may be doing all of this only to advance her own career as she is about to step out of the Information Commissioner’s chair. It’s out of context especially if you read the ICO’s press release that explains the purpose of this meeting was "for every G7 authority to present a specific technology or innovation issue they believe closer cooperation is needed”.

The issue of ‘cookie fatigue’ is the ICO’s choice of topic, and Denham is the messenger. The meeting itself had little to do with the fact that various authorities seem to be overwhelmed in their role and responsibility of, well, actually regulating and enforcing the law. A maybe better placed critique at this point may be that ‘enforcement struggle’ should be the topic of the next G7 meeting and a suggestion at this point to have a greater mix of talent within regulating bodies. Authorities are often largely staffed with people from academia and politics. While this comes with the nature of the purpose, a few more ‘doers’ in the driver's seat could help put ideas into action faster and more efficiently.

Of course the frustration among privacy professionals and data protection activists is real and understandable with the lack of enforcement, but the regulation is much more than that. Businesses don’t make efforts to comply with the GDPR out of fear of getting fined, instead they start to see “compliance and transparency” as an opportunity to build trust with their customers and to grow.

This doesn’t mean the ICO should just lean back and chill. Enforcement is needed to penalise those who largely infringe privacy rights to fill their pockets, but at the same time it’s also true that we need better solutions to make data privacy management online easier for the end user. Or simply put, for you and me.

People get tired of constant consent pop-ups, which can lead to “just accepting it” because you just want to get on with your work or reason you visited a certain website in the first place. The ICO is recognising this problem and is asking the G7 authorities to work together and make an impact in "supporting technology firms and standards organisations to further develop and roll out privacy-oriented solutions to this issue.”

That statement in the watchdog's press release is something that excites us at Palqee. Critiques were at it again, that all the ICO was presenting is an ‘idea’ without any tangible suggestions on how this could look like or work, from a technical perspective. But the ICO is not suggesting to build the solution themselves, they’re saying they want to support and work together with organisations to offer those solutions.

For Privacy Technology companies like Palqee, this is great news to see authorities more openly looking to collaborate and work with the industry. Quite frankly, we need much more of that so the GDPR becomes less of a ‘penalty instrument’ led and managed by 'the one authority' in each country and more of an operationalised best practice that countries outside of the EU and UK take as an example for excellent ethical data management operations. It’s a necessity as we move into the next phase of technology innovation driven by machine learning, robotics and AI.

When we founded Palqee, it was out of the inspiration to make data privacy management accessible for everyone - individuals and business alike - and way beyond just taming the cookie-consent beast for web users. We are creating a simple way to manage your digital footprint through a single platform and enable direct and transparent engagement with every entity you share your data with. Trust into the data economy is quintessential for the advancement of technology and, for example, a key reason why the EU is working on implementing the AIA or Artificial Intelligence Act. The quicker we can shift from harvesting as much data as we can to profit, to utilising data when it’s of the most value to the data owner for mutual benefit the better. Industry can’t do it alone and regulators can’t do it alone either.

Online tracking is a highly discussed topic and there are many aspects of websites that need attention, like the usability and user experience. The problem why people just ‘accept away’ is because the management of data is too complicated. In the digital world we need easy solutions and controls. Just how we search for data using Google in an instant, we need to be able to protect our data in an instant.

For this to happen, it requires first that businesses have a platform that empowers efficient and transparent personal data management integrated into their operations Secondly, it requires a user application that builds a direct connection with businesses for easy user controls, automated data updates and privacy preferences management, including online tracking.

There is lots exciting stuff happening in the field and at Palqee we’re working towards our vision of building such an ecosystem. So while authorities still need to up their game, the implementation of best practices in data privacy is not in the responsibility of one but of everyone, and just handing out criticism and pointing fingers won't take us there.