The UK Information Commissioner’s Office (ICO) is continuing to focus on cookies and other tracking technologies with the publication of guidance and related regulatory action.
In late December, the ICO released an updated version of its guidance on cookies, which it is now referring to as ‘storage and access technologies’. The guidance is part of the ICO's broader online tracking strategy, which aims to ensure that people have meaningful control over how their personal information is tracked and used online.
The release of this guidance was followed this week by the ICO’s announcement that it has expanded its review of cookie compliance to encompass the UK’s top 1,000 websites, reflecting its planned focus on online advertising in 2025.
ICO cookie guidance
PECR and GDPR interaction
Whilst the UK General Data Protection Regulation (GDPR) addresses the processing of personal data, the specific rules on cookies and similar tracking technologies are contained in the Privacy and Electronic Communication Regulations (PECR). Where these technologies collect personal data, both regimes therefore apply. Given that PECR is a consent-based regime, the guidance provides that, where those technologies collect personal data, consent will be the most appropriate lawful ground under the GDPR for that processing.
Breadth of technologies covered
The guidance sets out examples of the types of technologies that fall under PECR in addition to cookies, including tracking pixels, scripts and tags, fingerprinting techniques, link decoration and navigational tracking. The ICO is clear, however, that this is a non-exhaustive list. The guidance also confirms that these rules apply to the use of such technologies across web browsers, mobile apps and connected devices.
Clear expectations on banners
The guidance sets out clear expectations for consent banners and platforms. Reflecting previous ICO comments, the ICO expects there to be a “reject all” option prominently available. Organisations are also expected to offer granular options for various purposes, enabling users to manage all non-essential storage and access technologies.
Consent withdrawal = erasure request
The guidance outlines the implications of consent withdrawal, explaining that this should be treated as a request for erasure, requiring the deletion of any information gathered under that consent. Organisations that obtain consent on behalf of third parties are then responsible for informing them when the consent is no longer valid.
ICO pay or consent guidance
The ICO has separately released this week its promised guidance on the so-called “pay or consent” model, and so for organisations considering that approach, that guidance will need to be considered alongside the storage and access technologies guidance (we will blog separately on this other guidance shortly).
Enforcement and claims
The ICO’s review of the top 1,000 UK websites follows from its prior assessment of the top 200 UK websites over the last 18 months. Whilst it advised organisations in January 2024 to take action to become compliant, since then, only one formal enforcement action has been brought by the ICO for cookies, this being the reprimand against Bonne Terre, trading as Sky Betting and Gaming, for processing data through advertising cookies without individuals’ consent and in a way that was neither transparent nor fair.
The reprimand has been followed this week by a judgment against the same organisation in a civil case brought by a data subject whose personal data, the court found, had been collected unlawfully for the purpose of personalised marketing. This case throws down another hurdle for organisations, as the judge held that whilst robust consent procedures assist in demonstrating that there is freely given and informed consent, the individual context is also key, and in this case the quality of the consent was held to be lower than required because of the data subject’s gambling problem and associated vulnerability, which compromised his autonomy.
The judge was at pains to say that this case was decided on the specifics of the matter in front of her, but it is a good reminder that there may be individual circumstances that mean what would qualify as valid consent from one individual, would not be for another.
Outlook
With the much-anticipated draft guidance now published, organisations would do well to assess their compliance against it so that they are ready to respond to any concerns the ICO may raise. Organisations should also consider the risk of their customers being vulnerable, or any other relevant context given their sector, as this could jeopardise the quality of consents received.
So called cookie-less technologies are also being propagated by many market players as the way forward, but the ICO’s guidance is a good reminder that the rules apply far more widely than just to cookies, and so all such technologies will be need to be assessed against the same regulatory regimes (and can expect regulator scrutiny).