The Cookie Crumbles for UK Top Viewed Websites

In its statement of 21 November 2023, the Information Commissioner’s Office (ICO) announced that it had written to some of the UK’s most frequently visited websites, warning them of enforcement action if they fail to give users a ‘fair choice’ over whether or not to be tracked for personalised advertising. This step comes amid growing concerns over data privacy and targeted advertising.

The ICO gave the non-conforming companies 30 days’ notice to align their cookie policies with the law and will issue an update in January 2024.

What is a ‘Cookie?’

A cookie is a small text file which is downloaded onto a device and allows a website to recognise and store information about the user’s preferences or past actions. Some cookies are essential (also known as strictly necessary cookies) and are needed to ensure a website functions correctly, but many websites use cookies to track users’ online activities, including, for example, to show personalised ads. The issue, however, is that some websites make it difficult to reject cookies that are not strictly necessary. The use of cookies is governed by the Privacy and Electronic Communications Regulations (also known as PECR), but cookies also qualify as personal data and are therefore subject to data protection laws (namely the Data Protection Act 2018 and UK GDPR). Similar technologies that store data on a user’s device can also fall under PECR and data protection laws.

Background

In August 2023, the Competition and Markets Authority (CMA) and the ICO published a joint blog highlighting concerns that some online design practices make it difficult for individuals to exercise choice and control over how their personal information gets processed, which risks infringing data protection law.

The ICO considered it an infringement of data protection law where organisations, web designers and developers create design practices that steer users to decisions that do not reflect their privacy preferences.

The ICO made it clear that cookie consent banners can have a harmful design if they influence users to click “accept all” for all types of cookies simply because it is not easy or simple to reject them.

The ICO and CMA issued clear guidance that organisations must make it as easy for users to opt for a “reject all” advertising cookies as it is to “accept all.”

The Law

To comply with data protection laws and PECR, companies must

• Obtain users’ consent before they place any cookies on the user’s device (except strictly necessary cookies)

• Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received

• Document and store consent received from each user

• Allow users to access your service even if they refuse to allow the use of certain cookies

• Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place
   

Common pitfalls with cookie compliance include using default cookie banner templates that only offer an “accept” setting or an “accept” or “see options” setting, which would not comply with the ICO and CMA guidance. We also see companies allowing cookies to be placed on a user’s device before consent has been received through the cookie banner.

In the event of non-compliance, the ICO has the power to issue monetary penalties of up to £17.5 million or 4% of the annual worldwide turnover in the preceding financial year, whichever is higher, and can also issue reprimands or enforcement notices asking companies to bring their cookie compliance in line with the law.

Users can also file claims against companies in court for breach of data protection laws in order to obtain compensation for any losses incurred by the breach – the ICO does not have the authority to issue compensation to those affected.

What does this mean for businesses?

If you own a website, you must ensure it complies with data protection laws and PECR to avoid a complaint being made about your website to the ICO or legal action being taken against you by a user.

Between April 2022 and March 2023, there were 1753 complaints made to the ICO about cookie usage, and certain companies, such as Noyb (an acronym for ‘none of your business’), a not for profit organisation which aims to enforce privacy rights), have even set up a system for scanning and reporting non-compliant cookies banners to the website owners. Some individuals and companies have also been known to contact companies with non-compliant cookie banners requesting compensation.

To avoid enforcement action or fines, you should ensure that

1.  your website enables users to reject cookies easily, as well as accept them and allows users to withdraw their consent as well
2. You are not placing cookies on users’ devices before you get their consent
3. your cookie policies are up to date and in compliance with PECR and UK data protection laws

How can we help?

Our team of commercial specialists regularly advise clients on their use of cookies and can help you to ensure your website uses cookies correctly. Our regulatory team can also advise you if you have received any communication from the ICO or a website user about a non-compliant cookie banner.

If you have any questions about online cookie use, are planning a new online service, or would like to make sure that you comply with UK data protection laws and regulations, please get in touch. I can be contacted on 01206 217371 or via email at lauren.mccarthy@birkettlong.co.uk