Companies that fail to include a “reject all” button in their website cookie banners are “breaking the law” and risking regulatory enforcement, a senior figure from the ICO has cautioned. In a recent interview with MLex, the ICO’s Deputy Commissioner, Stephen Bonner, said that “the ICO is paying attention in this area and will absolutely issue fines if we see organisations are not taking that seriously and taking steps”.
Wasn’t the UK saying goodbye to cookie banners?
This statement may come somewhat as a surprise to those who saw the headlines surrounding the UK government’s proposals for reforming the legislative treatment of cookies, the press release for which noted the UK government’s aim to “reduce annoying cookie pop-ups".
Under the Data Protection and Digital Information (No. 2) Bill (the “Bill”), which is currently at the report stage in the House of Commons, requirements for cookie banners are to be eased (see our blog post for further information on changes to cookies rules, and our blog post for further information on the Bill).
In particular, the Bill expands the exemptions from consent requirements for cookies beyond only “strictly necessary” cookies to include non-intrusive analytics cookies (subject to certain conditions, including the user being given information about the processing and an opportunity to object). The Explanatory Notes to the Bill explain that such cookies “are considered to present a low risk to people’s privacy”. This proposal therefore seeks to put on statutory footing the ICO’s existing enforcement treatment of analytics cookies – the ICO’s current guidance suggests that it is unlikely to take formal action in cases involving first-party analytics cookies.
And, while this proposal only relaxes in part existing cookie rules, the Bill contemplates doing away with cookie banners altogether: it proposes to empower the secretary of state to issue regulations requiring providers of services, such as web browsers, to allow users to set lasting privacy preferences on a one-off basis, rather than having to do so via pop-ups for each website they visit.
However, for those companies thinking that cookie enforcement may be falling off the ICO’s enforcement agenda, Bonner has confirmed that the ICO continues to monitor for – and is prepared to exercise its enforcement powers in relation to – cookie non-compliance.
UK and EU alignment
The ICO’s confirmation that it is monitoring compliance in this area reflects recent regulatory trends in the EU. On 18 January 2023, the EDPB adopted a report prepared by its Cookie Banner Task Force, to ensure a consistent regulatory approach between European data protection authorities (“EU DPAs”) to cookie enforcement. This followed a string of major cookie enforcement actions by EU DPAs, most notably the enormous fines issued by France’s CNIL to Facebook and Google (see our blog post), and stemmed from the hundreds of complaints concerning cookie banners filed with various EU DPAs by Max Schrem’s privacy campaign group, noyb.
Bonner’s statements also indicate that the ICO has similar concerns to EU DPAs when it comes to cookies, particularly that cookie banners should provide clear choices to users: one of the key findings of the EDPB’s report was that the “vast majority” of EU DPAs consider the absence of a “reject all” button to be an infringement of privacy regulations.
Similarly, in 2022, when Google announced it would be including a “reject all” button in its cookie banners (which was introduced following a specific direction from CNIL – see our blog post), the ICO welcomed this move and Bonner noted that the ICO would “quite possibly” have fined Google had Google not done so.
Finally, it is worth noting that the Bill’s cookie consent exemptions are largely aligned with changes proposed at EU level under the draft ePrivacy Regulation, albeit this piece of (long-delayed) EU legislation is not expected to be implemented before end-2023. In any event, it’s unlikely that many cross-border companies are planning to redesign their cookies banners in anticipation of the Bill’s passage; for such companies, EU privacy rules will likely remain the high water mark to meet.
Conclusion
While we have yet to see major cookie enforcement action by the ICO, Bonner is clear that the ICO takes cookie compliance seriously – and, if the Bill is passed in its current form, the ICO’s fining powers for cookie non-compliance will be significantly increased. Fines are currently limited under the UK’s Privacy and Electronic Communication Regulations (which govern cookie enforcement) to £500,000 but the Bill proposes to raise this to the GDPR limit of the higher of £17.5m or 4% of global annual turnover. Bonner’s warning, then, is a timely reminder that companies should check their cookie compliance now to avoid being a target for regulators and campaigners alike.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-05-03-16-47-53-980-663515398e38577d7f0bb221.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-04-30-14-56-42-295-663106aa145aa375cc9b7b0f.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-04-30-13-23-43-356-6630f0df03765d17a4eccab2.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-04-23-09-28-50-380-66277f52e87bcfeefc961b68.jpg)