ICO warns UK’s most visited websites to improve cookie choices

Published on 17 April 2024

The question

What steps is the ICO taking to ensure that website cookie banners are compliant with law?

The key takeaway

Websites must not place non-essential advertising cookies without users’ consent, and it must be as easy for users to reject non-essential advertising cookies as it is to accept them. Failure by website operators to comply may result in enforcement action by the UK’s Information Commissioner’s Office (ICO).

The background

In August 2023 the ICO signalled its intention to clamp down on harmful website design practices which undermine people’s control over the use of their personal data. This includes the use of cookie consent banners that affect an individual’s ability to freely consent to cookies. Cookies that have been consented to may affect the ads that an individual is presented with for some time. The ICO noted that if it does not see improvements in businesses’ practices, it will be taking enforcement action, especially where harmful design particularly affects vulnerable people.

The development

On 15 November 2023 the ICO sent a letter to some of the UK’s top 100 websites warning about potential infringements of data law including the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR in relation to their website cookie banners. In the letter the ICO set out its four key concerns:

  • ·non-essential advertising cookies being placed without the consent of users;
  • ·non-essential advertising cookies being placed before users have the opportunity to consent;
  • users not being able to reject non-essential advertising cookies as easily as they can accept them; and
  • ·non-essential advertising cookies being placed despite users opting to reject them.

If a website user rejects all tracking, the website is still allowed to display ads, however these must not be tailored to that user.

The ICO’s warning letter invited recipient organisations to take steps to address the ICO’s concerns within one month. In an update on 31 January 2024, the ICO stated that it had received an “overwhelmingly positive response” to their warning letters, with 38 organisations having changed their cookie banners, four committing to be compliant within the next month and several others working to develop alternative solutions.

Why is this important?

The ICO say that they will not stop with the top 100 websites and are preparing to write to the next 100, and the 100 after that. They are also developing an AI solution to identify non-compliant cookie banners. It’s clear that the ICO is ready to take enforcement action if website banners are still in breach of the law following these very clear warnings. This may amount to fines and also reputational damage through public naming and shaming.

Any practical tips?

Given the ICO’s proactive approach to non-compliant cookie banners, businesses (and, especially, prominent ones) should update their cookie banners and not wait to receive a letter from the ICO. Banners should include a “reject all” button and make it as easy for users to reject all cookies as it is to accept all of them. Ultimately, online interfaces should be designed to empower the user to be able to make clear choices about the use of their data and the direct marketing cookies they sign up to.

Spring 2024

Stay connected and subscribe to our latest insights and views 

Subscribe Here