The European Commission (EC) should amend the so-called 'cookie law' that requires website owners to obtain users' consent before placing cookies on their devices, according to the Information Commissioner's Office (ICO).
The ICO made the case in a submission to the EC's consultation (PDF) on changes to the Privacy and Electronic Communications Directive, also known as the E-Privacy Directive.
"Requiring consent for the processing of personal data has not delivered the expected protection for individuals because some personal data must be processed in order for the consent mechanism to operate," said the ICO.
"In our view, the rules should also seek to achieve a proportionate balance between the legitimate interests of information society services and the privacy rights of individuals.
"There is a case for an exemption or an alternative basis for processing other than consent, particularly in cases where the privacy impact on the individual is minimal."
The consultation over the E-Privacy Directive, which is now more than a decade old but was amended in 2009, is intended to further update it to better complement the General Data Protection Regulation, which will become law across the EU in 2018.
Both are part of the Digital Single Market Strategy for Europe designed to provide a level playing field for online services across the EU.
The consultation appears to indicate that the EC is planning to tighten e-privacy laws with mandates requiring "privacy by default" settings on "terminal equipment".
The ICO warned that this may have unintended consequences by hampering the development of internet services that the Digital Single Market is supposed to aid.
"The definition of terminal equipment would need to be carefully defined as it could include connected cars, IoT devices and legacy equipment. Consideration also needs to be given as to whether all these devices are capable of delivering privacy choices," said the ICO.
"The impact on small startup companies would need to be carefully considered to avoid a disproportionate detrimental impact on innovation.
"Again, in our view, any rules in this area should seek to achieve a proportionate balance between the legitimate interests of businesses and the privacy rights of individuals, and not impose onerous and disruptive requirements in cases where privacy impact is minimal."
The consultation also indicated that the EC is considering compelling website operators to make their content available, even if users reject cookies, a measure that the ICO also opposes.
The UK is set to leave the EU after the Brexit vote, but companies in the UK will almost certainly have to adhere to EU data protection laws to trade with, or collect data on, EU citizens.
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend