Is the UK getting tough on cookies? The ICO responds to the Government’s plans

The ICO and the UK Government agree that the current approach to regulating cookies doesn’t work, for people or businesses - ‘Cookie fatigue’ (users being overwhelmed by cookie pop-ups) has resulted in a lack of meaningful user engagement with the consents requested in cookie pop-ups. Since the ICO published its plans on how to tackle the issue, with the help of its G7 counterparts (see our blog), the Department for Digital, Culture, Media and Sport (“DCMS”) has launched a consultation proposing changes to the UK’s data protection and cookie rules. On 6 October 2021, the ICO responded to that consultation.

The proposals

The new plans proposed by DCMS include a “browser-based solution” where, on a one-time basis, users decide upfront what data they consent to being collected through cookies. This is then respected and applied across all the online services those users access. The ICO support this approach (unsurprisingly, given it is the approach they had recently suggested to the G7). They consider this proposal would allow meaningful consideration by users of the categories of data they are comfortable being collected. Both the ICO and the UK Government note this is not a quick fix however, and would require significant international cooperation. Nonetheless, this solution is certainly workable as there are already several similar cookie blockers available as browser extensions, with one having over 500,000 users.

The DCMS also propose expanding the categories of data that can be collected through cookies without explicit user consent. Under the current cookie rules, consent is not required if the cookie is deemed strictly necessary for the operation of the service. The DCMS suggest adding the following categories to this group:

• Analytics cookies: this proposal is supported by the ICO, subject to (as the DCMS also note) appropriate safeguards to ensure such processing has a low impact on user’s privacy and a low risk of harm. Interestingly a similar approach has been taken in France. 
• Legitimate interest cookies: this proposal would allow website operators to use cookies to collect further categories of data from users, provided: (i) the operators can show it is necessary for the legitimate interests of the data controllers; and (ii) such collection has a minimal impact on the data subject. In a more lukewarm response, the ICO noted that this may be harder to legislate for in a way that ensures appropriate safeguards are in place (and differentiates from the current system).

In addition to responding to the DCMS’s plans, the ICO used its consultation response to recommend that the UK Government considers legislating against cookie walls (cookie pop-ups with no ‘reject’ option) altogether. 

Increasing fines?

To strengthen the bite of their potential proposals, both the ICO and DCMS support aligning fines under the Privacy and Electronic Communications Regulations (“PECR”), which govern cookies, with the fines available under the GDPR. This would raise the potential fine limit from £500,000 under PECR, to the GDPR limit of the higher of £17.5m or 4% of global turnover. If accepted by the UK Government, this would certainly push cookie compliance up the risk agenda for many organisations, particularly given the current levels of non-compliance. 

With thanks to Tom Hurleston for helping with research.