In November 2023, the Information Commissioner’s Office (ICO) released a statement warning certain popular websites to make cookie changes. This statement comes after a preliminary search conducted by the ICO revealed that websites continue to present targeted advertisements.
The statement issued by the ICO stated that it has written to the organisations that control the most popular websites and has given them a period of 30 days to demonstrate compliance with the necessary Data Protection laws such as:
- The UK General Data Protection Regulation
- The Data Protection Act 2018
- The Privacy and Electronic Communications Regulations 2003
Through this statement the ICO has provided all companies responsible for the websites an ultimatum to comply with the Data Protection laws identified above or “face the consequences”. An example of the letter that has been issued by the ICO has also been attached with the statement. In January 2024 the ICO is also scheduled to issue a list of companies that have not complied with the specific requirements identified and will take appropriate action.
European Union Cookie Trends:
While the above action is restricted to the UK, similar trends can also be observed in France, Bavaria, Ireland, and Netherlands. Supervisory Authorities across the European Union have either commenced a cookie sweep or have indicated their intentions to commence an enforcement action in relation to cookies. Major companies such as Apple, Meta and TikTok have already been held responsible for non-compliance with data protection laws in relation to cookies and personalised advertisements with fines ranging from €5 million to €210 million. The European Commission and the EDPB agreed on drafting principles that would ensure users receive concrete information on how their data is processed as well as consequences of accepting different types of cookies.
ICO Cookie Compliance Strategies and Recommendations:
The ICO provided certain strategies to help organisations attain compliance, which can help organisations implement practical recommendations. The strategies stated are as follows:
- Place the user of the website at the heart of design choices: Develop an interface that is centred around the user’s preferences and interests.
- Empower user choice and control through the architecture of the website: Assist users in making active and effective choices about their personal data and how it will be used.
- Test, trial and feedback: Consider testing a website and its interface amongst actual users and gain feedback. If necessary redevelop the website to ensure user feedback is incorporated.
- Alignment with data protection, consumer and competition law: Apply the requirements of law practically and develop strategies to ensure compliance from a design stage of the website e.g. privacy by design.
Considering the above we suggest the following actionable recommendations:
- Ensure the user has the ability to make choices indicated through an action such as ticking an unticked box or clicking on “accept all button”.
- In cases where a website uses third party cookies, clearly state the name of third parties and provide details on how they intend on using the user’s personal data.
- Abstain from using a pre-ticked box, or an “always on” slider for non-essential cookies.
- Provide users with the ability to manage the consent they provide by implementing a cookie consent management tool. Ensure that the tool is easy to use and does not complicate the user’s experience of the website.
- Ensure that all non-essential cookies are only active if the user has granted consent. In cases where the user proceeds to browsing a website without indicating their intention, do not by default activate or enable non-essential cookies.
- Provide a “Reject all” option that is clearly visible by colours that contrast with the background of the webpage. Ensure that such an option is clearly visible on the initial layer or cookie banner of the website.
- Balance the visibility of the cookie banner to ensure it does not turn into a cookie wall or cause hindrances, however, it should still be prominently visible to the user.
- Lastly, in cases where the user has “rejected all” cookies or not provided consent, ensure all personalised advertisements and targeted advertisements are not presented to the user.
In the UK, serious enforcement and fines due to cookies are yet to be observed, however the warning issued by the ICO is a clear indication of the future action that will be taken by the ICO with non-complaint organisations. The trend of cookie sweeps and initiatives taken across the European Union also points to a future where Supervisory Authorities will take a strong stance against non-compliance and impose stringent fines. These fines, in accordance to existing legislation such as PECR, may be up to 500,000 pounds and as per the General Data Protection Regulations may be up to € 20 million or 4% of the annual global turnover of the organisation.