The UK Information Commissioner’s Office (ICO) has recently published an update on its enforcement efforts in respect of website cookie compliance.  It follows a letter the ICO sent in November 2023 to 53 of the top 100 UK websites warning that they face enforcement action if they do not make changes to advertising cookies to comply with the requirements of UK data protection law.  According to the ICO, it has had an “overwhelmingly positive response” to those letters, resulting in 38 organisations changing their cookies banners to be compliant with the cookie consent requirements and another 4 organisations committing to reach compliance within the next month. Notably, the ICO acknowledges that some of the organisations it contacted are exploring alternative solutions such as contextual advertising and subscription models. The ICO plans to offer further guidance on implementing these models in compliance with data protection law in the coming month.

 

Getting cookie banners right - what does ‘good’ look according to the ICO?

The ICO expects that all websites using advertising cookies or similar technologies give people a fair choice over whether they consent to the use of such technologies.  In particular, website cookie banners should make it as easy to reject non-essential cookies as it is to accept them, according to guidance it issued in August 2023.  In practice, this means providing a choice between accepting or rejecting non-exempt cookies on the first layer of a cookie banner and giving each choice equal prominence.  The type of harm that the ICO is particularly keen to minimise is where cookies choices may have a real impact on an individual’s wellbeing.  It says it will act where harmful design is affecting customers, including for example, where an individual with a gambling problem is “steered to ‘accept all’ cookies” which could mean they are being “continually bombarded with betting adverts”.

Enforcement action on the horizon?

In the words of the ICO “as we’ll be steadily working our way through the list of websites offering services to UK users to give them all the same message, it makes sense to be compliant before the regulator comes knocking”. 

However, although the cookie consent requirements are not new and predate the GDPR, getting cookie consent right is still work in progress for many websites.  For those who continue to disregard the law, the ICO stresses that consequences will follow. It states that its enforcement efforts extend beyond the top 100 websites, and it is gearing up to contact the next 100 and beyond. To expedite these efforts, an AI solution is in development to identify websites with non-compliant cookie banners. A 'hackathon' event in early 2024 will explore the practical implementation of this AI solution.

The message from the ICO is clear as it systematically communicates its expectations to websites offering services to users in the UK – now is the time for organisations to assess their own compliance and take steps to address the ICO’s requirements before facing regulatory consequences. 

Whether those consequences will be severe or not remains to be seen, as the ICO will also be aware of the direction of travel of UK law in this context and the stated aim by the UK Government to soften the cookie consent rules.

 

Authored by Katie McMullan and Eduardo Ustaran.

Search

Register now to receive personalized content and more!