Cookie banners and personal data use remain highly controversial, with the ICO and privacy activists on the warpath. Does the EU have a solution with their new Cookie Pledge?

For an industry worth $300Bn each year, the launch of CyberPunk in 2020 was a big deal in gaming, involving the talents of Keanu Reeves, Idris Elba and others. The new title was widely predicted to set the bar for user experience, and stores stocked up on extra copies and merchandise. 

On launch, it quickly became clear this creation was still half-baked. The game was glitchy, code crashed at crucial moments and Sony pulled it from sale in the Playstation store; an industry first, for all the wrong reasons. 

Following this disaster, the developers reworked the entire game and launched an update nearly 2 years later. This packed in fixes and features which should have been in the original, giving the game a new lease of life, but at huge cost. It’s now unlikely we’ll see Sony or others approach such an ambitious project again. 

The humble cookie banner has been around for much longer in one form or another, and while a now-familiar piece of internet street furniture, there’s little excitement about what it offers in terms of control and usability when it comes to personal data, and zero chance of celebrity endorsement. 

In fact, while cookie banners have grown larger, more complex and persistent regulators remain concerned that most firms aren’t complying with the letter and spirit of the law, and aren’t offering users informed, and freely given consent.

In the UK, the ICO has contacted the top 100 websites, challenging them to fix their advertising cookies and announced a Hackathon to explore how AI could help build a better cookie audit solution. 

As someone deeply involved in PrivTech and the first wave of products around web compliance, I’ve long wished for a cookie banner ‘redux’ in terms of approach, UX and effectiveness similar to the revamp Sony gave their troubled game. 

The challenge is we are dealing not with a single product but a complex ecosystem of actors for whom the third-party cookie, despite facing deprecation by Google later this year continues to play a central role. 

The EU has taken a coordinated reponse which accepts the cookie banner as the industry-accepted medium for control, but aims to get it working a lot harder. To this end, in 2023 they introduced the Cookie Pledge, to bring key stakeholders of the online advertising industry to make commitments to clarity and address growing ‘cookie fatigue’ among users. 

While currently voluntary, it’s been clearly signalled this may be a prelude to mandatory measures which could be included in upcoming regulations such as the Digital Fairness Act. 

At its heart, the pledge is for companies to limit the amount of text people must digest so they can provide informed consent, create a second layer of information in the banner and further unbundle functional, from advertising cookies. The EU also wants websites to remember users’ choices where consent is not given, for up to one year. 

While I wholeheartedly agree with the principle of giving consumers more choice, I am concerned with other aspects of the Pledge: in particular, the requirement to explain the business model behind companies dropping advertising cookies. 

With many companies’ business models being highly complex, even to those working in the industry, I fear this will go over a lot of people’s heads and add to cookie confusion. While it was relatively easy to apply ICC risk categories to basic types of cookies, a scheme for businesses would require detailed preparation, and regulatory supervision in terms of who fits each category, and how often this is reviewed.  

The Pledge also wants to offer choice between behavioural advertising-funded, data-driven businesses and less intrusive alternatives. Again, in theory this is great; but the EU currently only cites contextual advertising (i.e. shed adverts on gardening websites) as an option. This takes us back 20 years in terms of smart marketing, breaks the business model for much of AdTech and the free web we’ve become used to, while leaving out innovative, privacy-centric solutions such as data unions and synthetic data.  

The lines have been set for debate on this issue and trade associations led by FEDMA are doing a good job representing the arguments of advertisers and responsible marketers, who also applaud the spirit of the Cookie Pledge and are actively exploring new solutions to meet the hunger for data. A redux for cookies and cookie banners is certainly overdue, and it looks like consent will feature large in the minds of policymakers, regulators and industry for the rest of 2024 and beyond…