Cookie usage is central to online interactions, particularly in advertising. With evolving regulations like the United Kingdom’s General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), ensuring compliance is crucial. This blog explores recent guidance from the Information Commissioner’s Office (“ICO”), outlining website operators’ obligations regarding cookie consent.
ICO’s call for easy cookie rejection
In June 2023, the ICO issued a stern warning to organisations operating within the UK regarding their cookie banners.
Organisations utilising non-essential cookies like analytics, performance or marketing cookies are required to seek user consent before deploying such cookies on their websites or mobile applications. The essence of the warning centred on the necessity of including a “reject all” button on cookie banners, stressing that the absence of such a feature constitutes a breach of the law.
The ICO’s guidance stated that consent requests must be presented in an intelligible and easily accessible form, using clear language and allowing users to withdraw their consent at any time. It also stated that users must take a clear and positive action to give their consent to non-essential cookies and that passive actions such as continuing to use a website does not constitute valid consent.
Pre-ticked boxes or “on” sliders for non-essential cookies are deemed non-compliant, as they do not fulfil the ICO’s criteria for a positive action. Furthermore, any design elements that steer users towards accepting cookies, such as emphasising "agree" or "allow" over “reject" or "block," are considered non-compliant.
The ICO indicated a progression towards stricter enforcement measures until compliance is achieved by organisations.
Key UK websites called upon to alter cookie practices
In November 2023, the ICO alerted several leading UK websites of potential enforcement actions should they fail to adhere to legal regulations. Direct communications were initiated with companies overseeing some of the UK’s most visited websites, emphasising concerns and stipulating a 30-day compliance period. A standard copy of the letter that was sent was published just before Christmas and included details about why the ICO is still concerned that the websites may not be compliant with the UK GDPR and PECR.
(a) Non-essential advertising cookies were placed without obtaining consent from users
The ICO found that these websites placed non-essential advertising cookies without obtaining user consent and lacked a cookie banner. This raises significant concerns about compliance with PECR and the UK GDPR regarding cookie placement and personal data processing.
(b) Non-essential advertising cookies were placed before the user had the opportunity to provide consent
The ICO found that these websites had cookie banners, but place cookies without first obtaining consent from users. Even if consent is later sought via a cookie banner, it is deemed invalid since the placement of these cookies and processing of personal data occurred prior to consent being sought.
(c) Users cannot reject non-essential advertising cookies as easily as they can accept them
The ICO found that these websites inform users about non-essential advertising cookies and requests their consent. However, the cookie banners lack an easily accessible option to refuse these cookies with equal simplicity. Without a prominent “reject all” or equivalent option, any consent obtained by clicking “accept all” may not be considered freely given, specific or informed.
(d) Non-essential advertising cookies were placed despite the user opting to reject them
The ICO found that these websites provided a consent mechanism but disregarded users’ choices by placing non-essential advertising cookies despite users opting to “reject all” cookies. There are concerns that processing personal data after placing non-essential advertising cookies, previously refused by the user, may lack a valid lawful basis under Article 6 of the UK GDPR. Consequently, this action is likely to infringe Article 5(1)(a) of the UK GDPR. Furthermore, it is likely that Regulation 6 in PECR has been infringed as the placing of non-essential advertising cookies requires valid consent from the user, which was not obtained in this case.
The ICO has said that in January 2024 it will issue an update regarding this initiative, which will include information about the companies that have not responded to the concerns raised. This effort is part of the ICO’s broader mission to safeguard individuals’ rights within the online advertising industry. The ICO is yet to provide an update on the initiative.
Aria Grace Law CIC
We have an array of highly experienced data protection lawyers with over 50 years of collective experience. Whether it’s implementing compliant cookie banners or providing expert advice on data processing practices, we’re here to support you every step of the way.
Contact us today on firstname.lastname@example.org to discuss how we can assist you in achieving cookies compliance and fostering trust with your users.
Article by Lindsay Healy (Founder), Puja Modha (Partner) and Sarah Davies (Paralegal) – 31 January 2024