Pop-ups are dead, long live pop-ups: or, the bait-and-switch hidden in today’s cookie announcement

Privacy / UK policy
Crumbled UK flag biscuits

Today is going to be the day that you read a lot about the UK’s intention to kill cookie pop-ups as part of its post-Brexit Data Reform Bill. By now you should have somehow realised that there’s a bit more to it than that, and that your work is not set to get any easier.

So settle in for 3,000 words or so explaining what’s ahead for you, and the way you build things, here in the sunlit uplands.

The news you’re hearing today is not the draft Bill itself, but the press campaign around the release of the response to government’s consultation on “Data: A New Direction” from last Autumn. You’re probably not up for reading that on a Friday, though, so you can read any number of news stories summarising the planned changes, like this one from Bloomberg:

A planned Data Reform Bill will cut “burdens on businesses to deliver around £1 billion ($1.23 billion) in cost savings” over ten years, the Department for Digital, Culture, Media and Sport said in a statement summarizing the legislation Thursday. 

The announcement criticized the EU’s “highly complex” General Data Protection Regulation and promised a “clampdown on bureaucracy, red tape and pointless paperwork” to “seize the benefits of Brexit.”

Small British businesses will no longer be required to have a data protection officer and fill out “lengthy impact assessments.”  Internet users will be given the option to opt-out rather than needing to opt-in for the collection of cookies — which track users around the internet. The government said the change will cut down on “the irritating boxes users currently see on every website”.

The government will also be able to exert more control over the country’s data watchdog, the Information Commissioner’s Office. Culture Secretary Nadine Dorries will have to approve its statutory codes and guidance before they are presented to Parliament.

A DCMS spokeswoman didn’t immediately respond to a request for comment on maintaining a “data adequacy” arrangement.

The first thing that jumped out at me in the announcement was the c-word. The headline in the official DCMS press release was “New data laws to boost British business, protect consumers, and seize the benefits of Brexit.” It turns out the blog post I wrote on Monday, where I discussed how government is shifting its language from describing us as people with data rights to consumers with contracts, was spot on. You’ll understand if I’m not gloating.

As with any government announcement in 2022, the press release had a lot of red meat for pensioners (“fines for firms hounding people with nuisance calls!”) as well as for the red tops (“a clampdown on bureaucracy, red tape, and pointless paperwork” to “seize the benefits of Brexit!”).

But outside of that low-hanging fruit, the the only area of this announcement which will receive any sort of attention outside the tech press is the intention to get rid of cookie pop-ups.

Yes, those. As we’ve known for a good while now, and as the announcement states, the Data Reform Bill will shift the responsibility for consent popups from service providers to browsers.

(You need to stay with this narrative for a while, because that isn’t as technically simple as it sounds.)

So, aye. Yay. No more popups! Yay! Everyone hates them! I do! You do! Everyone does!

But. And it’s a big but.

I need you to keep reading the fine print, in that government announcement.

And I need you to keep reading the fine print in other government announcements on tech and digital.

Because the pop-ups are just getting started.

Say that again?

You cannot read this press release, and consider the legislative overhaul planned for the Data Reform Bill, in a policy bubble. You have to look at it in the context of the bigger picture, and that picture is the Online Safety Bill.

And wait until you hear about those pop-ups.

I have been trying to write a post about your compliance obligations, as well as the staggering compliance costs being placed onto you, which businesses – and not just Big Tech, that means you too – will be facing under the Online Safety Bill. It’s taking me forever to write it, because the requirements are that insanely complicated, trying to keep them straight is that nigh impossible, and the sheer technical dystopia of it all of it sends me outside into the garden to breathe some fresh air – and that’s said as someone whose professional life has been consumed by this Bill for three years.

For the purposes of today’s announcement, though, I’m going to tease out just one aspect of those compliance obligations, and those compliance costs.

So if you work in any sort of tech or digital related role, and the work you put into the world can be viewed, or accessed, by anyone of any age in the UK, and you are (rightfully) celebrating the loss of the cookie popups, I need you to do me a favour and drop the balloons and party streamers and sit down.

And listen.

Pop-ups, but British ones.

Preamble: you’ll be aware that the UK’s Online Safety Bill has been promoted as a piece of big tech/social media legislation, but it is not. It will impact any company or project of any size, nature, location, or business model which has user-generated content on it or allows humans to interact with other humans. So if your site, service or app is anything other than a promotional portfolio web 1.0 site, or a blog like this here blog that only allows comments, you’re in scope. If you weren’t aware of that, you are now. Enough of the preamble, let’s amble.

As it has been drafted, the Online Safety Bill will require all services plying their trade online – no matter what they do, no matter where they’re located, no matter how small they are, no matter what they’re trying to put right in the world  – to know the ages of all their visitors or users, in order to determine which of the users are children, in order to determine whether or not the service must be made “child-safe” per the Bill’s other requirements.

As it has been drafted, the Bill states that the only way a service can know for certain that children are not accessing it, is if that service is checking everybody’s IDs at the door:

A provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if there are systems or processes in place (for example, age verification, or another means of age assurance) that achieve the result that children are not normally able to access the service or that part of it.

In that way, the Bill almost ingeniously does not mandate age verification for content screening and filtering purposes, but rather requires it as an administrative compliance obligation.

(Wonks: you’ll find this all in the draft Bill, Part 3 Chapter 2 Clause 11).

The expectation is that any service in scope, e.g. you, would install a third-party age verification or age assurance system, chosen from a specific list of providers whom DCMS has supported to get off the ground. (It goes without saying that these provisions of the Online Safety Bill are the result of aggressive corporate lobbying by the age verification sector, whom Boris Johnson’s government is enthusiastically supporting as a post-Brexit UK tech success story. That their business model, which imposes privatised surveillance obligations onto all service providers in the UK, also serves this government’s objectives, e.g. Priti Patel & co., is a convenient side benefit. But you knew that too.)

The use of third-party age verification systems is intended to ensure that the service provider, e.g. you running your site there, never sees nor accesses the personal data – meaning the identities – of the people accessing your service. The fact remains, however, that age verification is still being mandated onto you, and that your users will hold you – not the third party provider – responsible for the hassle.

So how’s this going to work? The simplest way to explain this is that it’s going to be like cookie popups, mandated onto every site and service, at the point of page load, regardless of any subsequent interaction with the service. Except that instead of asking you to confirm your choices, it’s going to be asking you to confirm your identity.

No passport? No driving license? No credit card? No internet for you. Digital exclusion a go-go.

(Mind, the Bill’s drafters haven’t thought that far down the road yet. Unless, given this government, they have thought that far down the road yet, and know exactly what they’re doing by requiring identity verification in exchange for internet access.)

But they do have an alternative in mind for how users can verify their ages if they don’t have an official form of ID at hand.

You see, service providers – meaning you – will also be encouraged to use what is called “age assurance”, which is a means of estimating or determining your age without the use of some form of official government- or bank-issued documentation. At the moment, the leading idea in the field is the use of the webcam to measure the head of the person sitting in front of the screen. AI then does the job of determining whether those measurements correspond with those of a child. You may recognise this practice from what the Victorians called it: phrenology.

I need not tell you what other kinds of people, and what voices of 20th century history who float over my shoulders every day, are really into the concept of measuring people’s heads to make legally binding judgements about the worthiness of their character.

But for the slow VCs at the back who do need to be told:

(And you may ask yourself, how did I get here? Have we really gone from a referendum on bendy bananas to deploying phrenology onto the British internet? Yes. Yes we have.)

Regardless of whether you choose to deploy a third-party age verification provider, which hoovers up your visitors’ passport and credit card data, or a third-party age assurance solution, which hoovers up your visitors’ cranial measurements (particularly if they are undesirable ethnic minorities), in order to meet your imminent compliance obligations under the Online Safety Bill:

your compliance costs will be staggering.

The industry body representing those groups (e.g.: cha-ching! Make it rain) has estimated the cost of age checks, to service providers like you, to be 10p per age check.

10p does not sound like a lot, until you think about your traffic on a good day. 10p then becomes 10p in every £1 of income – not profit, income – just to meet that compliance obligation.

That’s an outlay on par with salaries or rent or heating.

And keep in mind that the UK also envisions this Bill to be extraterritorial, meaning that businesses outside the UK will be expected to comply with it – meaning age-gate their visitors – as well. How that’s going to work in their own domestic privacy contexts is one question; why they’re going to spend that money on the likes of you is another.

There are many other compliance obligations, and costs, under this Bill, alone, including the fee you’ll be required to pay Ofcom for the privilege of being regulated by them, as well as the costs of the screening and monitoring utilities you’ll need to install. But, as I said, that’s a separate blog post, coming another day.

(And by the way, if you’re working on a decentralised project, as I am currently doing, and are trying to figure out how anyone installing a service or node is expected to age-check people, lest they get screamed at that they’re failing to meet their “duty of care” to protect Britain’s children, your guess is as good as mine.)

So that, dear readers, is a very brief introduction to the world of popups after popups which you will be expected to help to build. Or else.

Call that a lot of whataboutery, if you like. I suppose it is.

But if I were you, I’d be more worried about the fact that whataboutery is pretty much the only retort we have to the erosion of our rights to privacy, and our freedom of expression too, which are being packaged as a post-Brexit opportunity.

Are you still with me?

Good. Because we’ve covered just one area – the big headline-grabbing shouty one – of today’s consultation announcement.

There are others.

But to make that much shorter and simpler for you:

The UK is planning to remove cookie pop-ups for UK people, of which there are 80 million, while service operators will still have to use them for European people, of which there are half a billion.

The UK is also planning to legislate to remove the EU-derived requirement for the Data Protection Officer, as the person responsible for safeguarding an organisation’s users’ privacy rights, while simultaneously demanding under the OSB that companies appoint named individuals who are subject to personal arrests and criminal sanctions for failing to prevent bad things from happening on the internet.

The UK is also planning to legislate to remove what it feels are unnecessary EU-derived burdens on small businesses and startups, such as “the need to undertake lengthy impact assessments”, while simultaneously imposing over two dozen compliance requirements under the OSB onto every small business and startup, including no fewer than six impact assessments, all predicated on the ghastly assumption that you are deliberately harming children.

The UK is also planning to legislate to require companies to have a privacy management programme to ensure they are accountable for how they process domestic personal data, based on…erm…whatever rules they make up and mark their own homework with, I guess? While those same companies will still be required to maintain higher standards and better accountability for their European users, thereby actually creating more work with less accountability, while creating a two-tier system of optimal and sub-optimal privacy rights based on nationality.

The UK is also planning to create £1 billion in business savings for businesses over ten years through the compliance reforms in the Data Reform Bill, while simultaneously requiring tech businesses to directly repurpose that money towards their OSB compliance requirements, which won’t just include age checks; they will also include the technology required for you to meet the general monitoring obligation over legal content.

The UK is also planning to shout at browser manufacturers to nerd harder require browser manufacturers to create UK-only versions of browsers to deal with  consents, while the heart of the issue – the use of cookies and data harvesters in the first place – isn’t actually dealt with by either government or the regulator; in fact, today’s publication signals an intention to “move to an opt-out model of consent for cookies placed by websites. In practice, this would mean cookies could be set without seeking consent.”

(Oh, and good luck shouting at asking browser manufacturers to deal with the UK’s mandatory age-checking regime at the browser-setting level too.)

And finally, the UK is also planning to ensure the independence of the privacy regulator by requiring the regulator’s statutory codes and guidance to be politically approved by the Secretary of State, who is, of course a political appointee, and who is, of course, currently Nadine Dorries. But regardless of who occupies the role today or tomorrow, granting them political authority over regulatory guidance seems to me like the exact opposite of regulatory independence.

And given the powers that same Secretary of State will have, under the Online Safety Bill, to define and constrain the limits of your free, legal, and subjective speech, it’s worth imagining – in the most horrible way – what it might be like for you and for me and for the people you care for when she is also allowed, under the Data Reform Bill, to define and constrain the limits of your personal privacy.

So hooray. Yes. We’re getting rid of horrible European pop-ups.

So that we can replace them with horrible British pop-ups.

We’re getting rid of European risk assessment bureaucracy.

So that we can replace it with British risk assessment bureaucracy.

We’re getting rid of Eurocrats who don’t understand the internet.

So that we can replace them with politicians who think the internet is ten years old.

And we’re getting rid of European-derived privacy rights.

So that we can replace them with UK-inspired privacy erosions.

And the saddest thing of all is that this country is currently so consumed with bitterness and spite and hatred that a lot of people out there will have considered everything I’ve said above and they’ll still be thinking:

good.

Postscript: how the sausage gets made

Whenever I discuss the OSB and age verification with policy colleagues from outside the UK, I have to stop and explain things very slowly, two or three times, until I see the look on their face that signals that they “get it”.

I have to do that because in their professional experience, age verification is only ever invoked in discussions around what we might call explicit adult content: pornography, alcohol, tobacco, and firearms. So that’s what they assume this discussion is about, here, in the UK. They don’t realise, until I explain it to them, that the UK legislative discussion is not just about preventing children from accessing those four kinds of content. It’s about mandating age verification for anything and everything, for every user, of every age, in front of access to all topics, all subjects, all sites, all service providers, all opinions, and all content. The whole public open web. Everything.

If you’re explaining this to someone who’s good at their job, they will immediately comprehend how this regime (e.g. identity verification packaged as age verification packaged as child safety, imposed over all content on all topics, again packaged as child safety) could be abused, in their own domestic political contexts, for matters which have nothing to do with children or online safety.

I would love for one of those people to draft some musings about how the UK hasn’t just corrupted the term “age-appropriate“; it’s over-egged the “world-leading” “child safety” aspects of the Online Safety Bill in ways which have handed a gift to states seeking new tools to crack down on public discourse.

But that should be another topic for another day.

Screen cap showing this post as #1 on Hacker News

that escalated quickly

Header image by me: platinum jubilee shortbread, because sometimes the visual symbolism presents itself

The Author

I advocate for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. This is my personal site, and the opinions on it do not reflect the views of any current or previous employer.

16 Comments

  1. happybeing says

    God that’s depressing. I knew it was bad but to see it set out is … depressing. And it’s a “Brexit benefit” so many people will go yay, more please and hold up their blue passports to the webcam whenever they want to post their hot political takes on Twitter.

    This may be the last blog comment I ever leave.

    • Anonymous says

      I do want to point out (and this may be wishful thinking) but the UK has a bad record at setting stuff like this up just look at the last age verification law that was delayed over and over again until it was quietly scraped.

      This could end up a huge unenforceable mess that may collapse under its own weight. I don’t see many going YAY over this but the exact opposite, Feel like no one would want to hold up their blue passports to the webcam whenever they want to post their hot political takes on Twitter. (and that if Twitter even trys to implement this and I don’t think they will but instead block the UK and that would cause huge backlash.

  2. Thanks for a thought-provoking article.

    I would like to address a few points you raise:

    1 – The UK Government’s estimate for the purposes of its Impact Assessment for the Online Safety Bill is that an age check costs 10p. This was derived by DCMS officials from a survey of providers, not from the trade association.

    2 – You suggest this is a daily cost to a website. That is not how the industry is currently structured – a user will do an age check the first time they access a site, and then either open an account with the site which is therefore age-verified, or the AV provider will re-authenticate the user each time they visit, but I am not aware of any that re-charge for this as you suggest.

    3 – You ignore interoperability, which has been developed with funding from the EU Commission, through the euCONSENT project, which will not only remove the inconvenience of verifying your age multiple times, but is likely to exercise downward pressure on the costs of the initial age check too.

    4 – You continue to raise concerns about age estimation not being as accurate on darker skin tones. This was an issue back when NIST first studied the earliest solutions, but by using more diverse training data, differences are becoming insignificant.

    Where we do agree is that the number of sites that will need to apply a proportionate degree of age assurance is potentially more than the estimate in the impact assessment for the Online Safety Bill. The ICO’s Children’s Code already applies to sites “likely to be accessed by children” rather than just those directed specifically at kids, but is still imited then to sites which have content or functionality which may be harmful to minors.

    The Online Safety Bill only applies to sites which offer user-to-user services – where person A can encounter content from person B – so is still not a general requirement applying to all sites. And in the Public Bill Committee, the government has so far held the line that the most rigorous requirement are limited to larger platforms; but has hinted that for small platforms carrying very harmful content, they may seek to amend the Bill to add them.

    • Russ says

      Imagine I get age verified by an accredited age verifier. And I then go to a website where I have a login name, and which is now applying age-gating. Exactly what happens next? What do I do to prove to the website that I am age-verified?

    • How on Gods green earth can anyone trust anything you lot say is beyond me, let alone trust you with personal data.

    • Matt says

      So what’s *your* estimate for the cost of an age check?

    • Bob says

      You really don’t get it do you.

      We’ve been through this faff since tracking cookies were invented with the advertising parasites poisoning any solution that prevented them loading their cut on the price of my pizza.

      Go look at,

      https://www.w3.org/2002/09/wbs/49311/twpg-tracking-5/results

      In particular take note of the objections by Brooks Dobbs, at the time employed by DoubleClick. Do some more research to find out what a poison pill that individual was in respect of DNT.

      I may be wrong but the basic argument was nothing will work unless you allow us to set cookies, which we will abuse, and that is exactly where you are now along with all of the original concern around privacy that arises from that imposition with the addition that it is now mandated by a Government.

      “2 – You suggest this is a daily cost to a website. That is not how the industry is currently structured – a user will do an age check the first time they access a site, and then either open an account with the site which is therefore age-verified, *or the AV provider will re-authenticate the user each time they visit*, but I am not aware of any that re-charge for this as you suggest.”

      So how does the part enclosed in *asterisks* not involve you setting a Dorries mandated tracking cookie along with all the concerns that may raise and still making me pay extra for a pizza I would have bought anyway.

      This is tracking on steroids and you are advocating ketamine.

    • Smaug Dragon says

      2. is appalling. Loads of ppl pop in to multiple websites just the once (I do every day) or months apart. That’s a lot of 10ps you’re extracting from many people. Also, no non UK site will be arsed, and we’ll end up in our own heavily policed N Korea of the web. Like Anon above, my main hope is that this is so dumb, it’ll implode under its own weight. Like every other policy of this Govt atm. Watch out it doesn’t take your reputation with it.

  3. Peter James Clark says

    Will the same rules be applied to newspapers and books? Will you have to prove your age when buying your Daily Mail?

    Will the same rules be applied to TV programs? There are quite a lot of them, I hear.

    At least we know that our data will be secure, and not sold to anyone, or used for any means, including political brain washing – because the name Nadine Dorries has been mentioned, which will fill many of us with relief.

    • M Palmer says

      The media are exempt. Ofcom already regulates TV & radio. It also regulates postal services & telecoms (amongst other things).

  4. Not content with breaking the country with Brexit they move on to breaking the web!? Thanks for highlighting this. What ever it is! Depressing but needed to be revealed.

Comments are closed.