Few things show the dilemma of data protection as well as cookie banners: what is supposed to serve informational self-determination has become a collective nuisance. “The current cookie banners are dysfunctional at best,” agrees Maximilian von Grafenstein. “Since almost everyone clicks away, they also make no sense for consumer protection.” Grafenstein is a professor for “Digital Self-Determination” at the Einstein Center Digital Future and the University of the Arts (UdK) in Berlin.
His hope is now on so-called PIMS, the acronym stands for Personal Information Management Systems. This should allow users to specify their data protection preferences once to a neutral third party, and this data trustee then acts as an intermediary to websites.
The basis for this was laid with the Telecommunications Telemedia Data Protection Act (TTDSG), which came into force last December. There are also provisions for “recognized services for consent management”. The data protection lawyer Rolf Schwartmann therefore described the TTDSG as a “law against cookie terror” and the “Tagesschau” also hoped for “the end of the cookie madness”.
But the law is still a long time coming. The Federal Ministry of Economics (BMWK) had actually announced that it would present a draft bill in the first quarter of 2022. However, after the change of government, responsibility has shifted to the Federal Ministry of Transport and Digital Affairs, and the schedule has also shifted as a result. “We are currently working on the draft bill,” said a spokeswoman for the department. She cannot say when it will be available, but the adoption of the rules is likely to be postponed to next year.
So while users will be annoyed by cookies for a while, this at least gives the opportunity to further optimize the regulation. Because as good as the idea of PIMS sounds at first, the practical design is likely to be as complex. This can also be seen in a research report on consent management that was commissioned by the BMWK. “General refusals of consent are important for user-friendliness, but legally difficult to record,” it says, for example.
Another question is how possible consents are graded. With PIMS, there could be consent for categories, such as operators of company websites or operators of news websites. But then the question arises as to which individual providers allow individual users to collect larger amounts of data and which do not.
“Website operators should be given the chance to convince users to make an exception when they come to their site,” says Grafenstein. After all, many would only find out on a specific website that they allow cookies for this operator. Grafenstein’s idea is that In the future, site operators should have the one-time opportunity to obtain individual consent. However, so that cookie banners do not have to be clicked away everywhere, they should only appear for a short time. “The decisive factor here is that the display disappears again by itself,” says Grafenstein. In his opinion, the basic conflict and the trench warfare between the (advertising) industry and data protection officers could also be solved in this way.
“It’s not about a real problem solution, but maximum positions according to the all-or-not-at-all principle,” says Grafenstein. While consumer advocates are striving for basic options to reject as many cookies as possible, the economy is trying the opposite. “I think that’s the only workable compromise so that the good idea of the PIMS doesn’t fail,” says the professor about his concept.
This is now to be tested in practice. Grafenstein criticizes that the users themselves have not yet had a say in the whole process. So he’s hosting a series of workshops on the subject in July (you can register to attend here). Another question is how short or long the banners can appear before they disappear, so that users notice them but don’t click away again themselves. “We then want to feed the results into the legislative process.”