ICO to continue issuing warnings on cookie compliance

Last week the ICO announced it had received an ‘overwhelmingly positive response’ to the warnings it issued last November to 53 of the UK’s top 100 websites, telling them to improve their cookie practices (see our blog). The warnings resulted in 72% of organisations contacted by the ICO changing their cookie banners to be compliant and 8% committing to be compliant by the end of February. 

Impact on consent or pay model?

Some told the ICO that they are working to develop alternative solutions, such as contextual advertising and subscription models and the ICO has promised that it will provide its views on how these models can be implemented in compliance with data protection law during February. Existing ICO guidance on ‘cookie walls’ confirms that a user needs to be given a genuine choice whether to sign up to cookies, otherwise consent may not be considered freely given. In 2018, the ICO informed The Washington Post that its online subscription options did not comply with the GDPR as there was no free alternative to accepting cookies, thus “consent cannot be freely given and is invalid.” However, the ICO does recognise that it may be possible to incentivise consent in some contexts (with money-off vouchers being given in exchange for signing up to a loyalty scheme being cited as acceptable in its detailed consent guidance).

We are seeing different approaches to subscription models developing among the EU data protection authorities (DPAs) as the one-stop-shop mechanism under the GDPR does not apply to cookies. For example, the Austrian DPA has ruled that ‘consent or pay’ models may be permissible in certain circumstances and it has set out relevant factors in its guidance. They include where the price for the payment alternative is ‘reasonable and fair’, the personal data is subsequently processed in ‘full compliance’ with the GDPR and the company does not have a monopoly position in the market. 

It will therefore be interesting to see how the ICO positions itself on the consent or pay model in the coming weeks. 

Tools to assess tracking technologies

The ICO also said that it is developing an AI solution to help identify websites using non-compliant cookie banners in order to accelerate its work in this area. On a similar note, the EDPB has recently launched a website auditing tool that can be used by DPAs to help analyse whether the tracking technologies used by websites are compliant with the law. The EDPB said it had developed the solution in order to facilitate enforcement by national DPAs and compliance checks by controllers.

Next steps 

The ICO has said it will not stop with the top 100 websites, and is already preparing to write to the next 100. Given the ICO’s focus, now is therefore the time for organisations to bring cookie practices in line in order to avoid regulatory scrutiny. For example, ensure you obtain consent before placing non-essential advertising cookies, provide a ‘reject all’ option, and respect individuals’ choices.