The cookie law needs to be amended, the British Information Commissioner has advised the EU, which is examining whether to tweak the ePrivacy Directive alongside wider data regulation changes.
Four years ago, the Information Commissioner's Office (ICO) ordered websites to warn users when they use cookies, code that tracks people as they move around a site and the wider web. The rule meant web users must click away a banner warning about cookie use when they visit a site for the first time, as the vast majority of websites use cookies in some way.
The ICO's submission to the EU's consultation on the issue says the rules should be tweaked to "achieve a proportionate balance" between privacy rights and "legitimate interests of information society services".
It suggested the consent model - which has led to the proliferation of nagging cookie warning banners - may not the best method. "There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal," the ICO submission notes.
It added: "Requiring consent for the processing of personal data has not delivered the expected protection for individuals because some personal data must be processed in order for the consent mechanism to operate." In other words, the warning banners themselves use cookies.
The ICO disagreed with a proposal from the EU to require websites to offer a cookie-free version of their content, as anyone who doesn't want a cookie placed on their device has no option but to stop viewing the page.
"Revised e-Privacy rules should avoid dictating business models, especially where there is minimal privacy impact for the individual," the ICO noted.
The EU consultation closed on 5 July, and a new legislative proposal on ePrivacy is expected before the end of this year.
While the UK has voted to leave the EU, we'll still have to adhere to its data protection laws, the ICO said, in order to continue trading and operating with member states.
