This week the Dutch broadcasting association NPO decided to tear down its ‘cookiewall’. The NPO had erected this wall in order to comply with the Dutch cookielaw, which requires websites to obtain the consent of the user before they drop any cookies. Since the introduction of the Dutch cookielaw more and more websites have erected these cookiewalls. Not because they want to pester their consumers, but because the law demands that a user makes a conscious decision about their privacy while visiting a website.
But is the legal requirement effective in practice? Do consumers really make conscious decisions about their privacy when they are confronted with a cookiewall or other form of privacy consent notice? The answer is of course: no. The vast majority of consumers simply accept the privacy terms and don’t even bother reading them.
There are a number of reasons why people don’t bother reading privacy consent notices. An important reason is that they are too long and too difficult to understand. Another reason is that the consequences of a potential loss of privacy are not very tangible, while the consequences of not accepting the privacy terms are very clear: you are not getting the service or product you desire. Finally, consumers trust that the government will step in if the terms and conditions are unfair to them.
In the Netherlands we are already seeing the first signs of ‘consent fatigue’. Consumers simply click away all the consent dialogue boxes they see, regardless of their content. There is even a very popular new browser plug-in called ‘Cookies OK’ that automatically accepts all cookie consent requests, before they are visible to the user.
Does this mean that consent is no longer important? On the contrary. As more and more data is processed, we need to make more conscious choices about our privacy. However, we must also acknowledge the fact that we cannot make conscious decisions about our privacy 24/7. In order to avoid consent fatigue and a devaluation of consent as a mechanism to express our will, we need to rethink the concept of consent in data protection legislation, because now it is highly overrated…