The ICO’s cookie focus is extending to ad tech: 5 things you need to know

The ICO has confirmed a continuation and extension of its work to tackle cookie compliance. In a statement issued last week, the regulator stated it had taken regulatory action following a nearly two-year long investigation into the cookie practices of Sky Betting and Gaming (Sky Betting). It also provided an update on the ICO’s wider cookie compliance enforcement work-stream. Given the pace of change in the regulation of cookies, in this blog we outline the 5 things you need to know from this latest statement: 

1. Results of ICO focus on top 100 UK websites

Late last year, the ICO announced that it was assessing the cookie compliance of the 100 most popular UK websites (see our blog here) and followed up early this year to confirm that it had written to 53 websites about their non-compliance (discussed in this blog). The ICO has now confirmed that 52/53 of the sites have engaged with the regulator and made changes to how advertising cookies are used. The majority have made changes to their cookie banners while some have made wider changes, such as a move to contextual advertising or adopting pay or consent models. Only one website hasn’t engaged with the ICO, Tattle Life, and remains under investigation by the regulator. The ICO are now preparing to scrutinise the next 100 most frequented websites. 

2. ICO issues cookie reprimand to Sky Betting 

The ICO has issued a reprimand against the company behind Sky Betting in relation to cookie practices. The ICO investigation, triggered by complaints from campaign group Clear Up Gambling in 2022, identified cookies being placed on users’ devices as soon as they navigated to the SkyBet website, before they had the opportunity to reject cookies. These cookies shared information with various ad tech vendors in connection with the provision of personalised advertising. A driving reason behind the ICO’s decision to issue this reprimand appears to have been the potential vulnerability of gamblers, as well as wider societal concerns about organisations’ use of personal data without permission.

While a reprimand draws attention to non-compliance, it is also critically not a financial penalty – which is notable, particularly as historically the ICO has been quick to issue fines for marketing infringements. Relevant factors in informing the ICO’s decision to steer away from a fine in this case are likely to include the fact that Sky Betting immediately made changes to its website (with the changes taking effect the day after the company was notified of the infringement by the ICO), the fact that the ICO found no evidence of ‘deliberate misuse’ of personal data by Sky Betting and the various technical and contractual protections Sky Betting had in place to protect particularly vulnerable users from marketing (such as marketing suppression lists).  

3. Renewed focus on ad tech 

The ICO appears to be reinvigorating its previous focus on ad tech. The statement notes that as part of the ICO’s “strategy to ensure people’s rights are upheld in the online advertising industry”, the regulator has been auditing the compliance of data management platforms (DMPs) to understand how the “wider industry handles people’s information”. The statement confirms that the ICO has now placed a number of DMPs under investigation. The reprimand against Sky Betting also makes direct references to the ICO’s 2019 update report into Ad Tech and Real Time Bidding. 

4. New guidance is on its way 

The ICO is planning to publish updated guidance on cookies and similar tracking technologies later this year for consultation. The regulator’s final position on ‘pay or consent’ models is also promised later this year, following the consultation held in the spring (discussed in this blog). 

5. Next steps 

We have already seen the ICO’s engagement with the top 100 websites change market practice on cookie banners. This latest statement underlines that organisations should check that the design of their cookie banners, as well as the operation of their cookies in practice, are compliant before the ICO comes knocking.