We’ve known for some time now that cookie compliance is on the ICO’s radar. However, recent ICO action confirms that now is the time to check whether your cookie banners comply with GDPR and PECR rules.
Last June, the ICO warned that companies that fail to include a “reject all” button in their website cookie banners are “breaking the law” and risking regulatory enforcement (see our blog).
Following this, on November 21 2023, the ICO published a statement confirming that it had issued written warnings to some of the UK’s top websites, telling them to improve their cookie practices. The ICO did not provide the names of those companies, or a copy of the letter it sent, but did state that it expected those companies to amend their practices within 30 days of the notices.
A standard copy of the letter sent was then published just before Christmas. This confirmed that the ICO had assessed the relevant cookie banners and had concerns around issues such as:
- Non-essential advertising cookies were placed without obtaining consent from users: This is the case where the website has no cookie banner at all so consent cannot be sought from users.
- Non-essential advertising cookies were placed before the user had the opportunity to provide consent: These websites have cookie banners, but place cookies without first obtaining consent from users. The consent, sought after placing the cookies, is invalid.
- Users cannot reject non-essential advertising cookies as easily as they can accept them: These websites inform users of the cookies and ask for their consent. However the cookie banners do not allow immediate rejection of cookies while they allow immediate consent. The consent provided through an “Accept All” button cannot be deemed to be freely given, specific or informed when there is no “Reject all” button.
- Non-essential advertising cookies were placed despite the user opting to reject them: Although these websites have a consent mechanism in place, they failed to respect users’ choices and placed cookies despite users clicking the “Reject all” button. According to the ICO, this practice infringes Articles 6 and 5(1)(a) UK GDPR and PECR Regulation 6 as these cookies have been placed without consent.
The ICO explained in its letter to each organisation how the cookie banner on a particular organisation’s website does not comply with some or all of the concerns above, providing screenshots from websites as annexes.
It also referred to its guidance on harmful design where it said that a “lack of consumer control” over cookies is an example of harmful design. This concern was similarly emphasized in the joint position paper the ICO and CMA published in September 2023 on harmful design and online choice architecture. That paper included screenshots of cookie consent pop-ups which demonstrated harmful design, e.g. where users need to go into a settings page to reject cookies as opposed to being able to click “Accept all” to make the pop-up go away.
The ICO has said it will provide an update on its work in January 2024, including publishing the names of the companies that fail to take appropriate steps to address these concerns. This “naming and shaming” is aligned with ICO’s approach in other areas (for example in relation to DSARs, which we have written about here).
The ICO has also said that it could publish an organisation’s name as a positive example of how cookie banners can be compliant, if that organisation agrees to it.
For organisations, now is the time to bring cookie practices in line with data protection laws to avoid regulatory enforcement. For example, ensure you obtain consent before placing non-essential advertising cookies, provide a “reject all” option, and respect individuals’ choices.