The ICO’s crack down on cookies: How can I comply?

Companies in control of the UK's top websites have been warned by the Information Commissioner's Office (ICO), that they may face enforcement action if they continue to unfairly prevent users from choosing whether they wish to be tracked for personalised advertising using cookies.

Breaches of cookie regulations, specifically the Privacy and Electronic Communications Regulations (PECR), can have a negative financial impact on businesses, with the ICO being able to impose financial penalties of up to £500,000 (alongside potentially higher UK GDPR related fines).

There is also a high risk of reputational damage with such breaches. It is therefore important to be aware of the applicable regulations and to be confident that your use of cookies is compliant to avoid similar consequences.

A new approach from the ICO?

In its letter to UK Data Protection Officers in charge of the most visited websites in November 2023, the ICO made clear that it is planning to publish the names of organisations that fail to take appropriate steps to address the specific concerns raised by them about their cookie banners.

This follows guidance from the ICO and CMA issued in August 2023 to developers and organisations commissioning websites outlining the harm caused to users as a result of not being able to easily reject cookies. Examples given by the ICO include:

• Gambling addicts being targeted by betting offers based on their browsing history.
• People being targeted with distressing baby adverts shortly after pregnancy loss.

This indicates the potential for a stricter, more proactive approach from the ICO when it comes to cookie regulation, which is perhaps unsurprising following the CNIL's approach to Tik Tik's cookie practices in France. Regulators are beginning to subject organisations to much more scrutiny when it comes to targeted marketing practices. Whilst the ICO's focus has been on the top 100 websites in the UK so far, we can expect their enforcement strategy to broaden out over the coming months, with the potential for real financial penalties.

What are the regulations governing cookies?

Cookies are regulated by PECR in conjunction with the UK GDPR and the Data Protection Act 2018 (DPA 2018) (where personal data applies). Cookies can perform functions that are essential to make a website work – a common type of essential cookie is a user-input cookie where a website recalls your inputs e.g., what you added into your shopping basket the last time you visited the site.

Where the cookie is essential in providing the service to the user, in most cases, consent will not be required. Non-essential cookies, on the other hand, including analytics and advertising cookies (often operated by third parties) do require user consent before they can be placed on a device. Advertisers and analytics companies can use non-essential cookies to monitor browsing habits across the internet.

Where non-essential cookies are used, website operators must:

• Provide clear and comprehensive information about the cookies used e.g., which cookies are set up and what they will be used for.
• Get the user’s consent to use a cookie on their device.

The UK GDPR applies alongside PECR, which states clearly that nothing in PECR ‘shall relieve a person of his obligations under the data protection legislation in relation to the processing of personal data’. The UK GDPR classes cookie identifiers as a type of "online identifier", meaning that in certain circumstances these will be personal data e.g., log in details collected by authentication cookies. The use of cookies will often amount to a processing of personal data and PECR clarifies that the only lawful basis to process this data is by obtaining consent (usually where cookies are non-essential).

What are harmful cookie practices?

In their joint paper of August 2023, the ICO and CMA list a range of harmful practices linked to the design of websites, referred to as online choice architecture (OCA). A key focus is on cookie banners and the consent processes that users encounter.

Where the cookie consent process is prolonged or made more tedious due to the layout and OCA of a site, this is called a 'harmful nudge'. As a result of harmful nudges, users may make choices they wouldn’t otherwise have made that do not align with their best interests.

One common example of this is where a cookie banner may include an option to consent to non-essential cookies with one click (such as 'Allow all') without providing an equivalent option to refuse consent to non-essential cookies with one click at the same stage. The ICO views these techniques as creating 'friction' between different choices, leading to users not fully considering their choices.

When assessing a cookie banner and the use of harmful nudges, the ICO will assess the OCA as to whether it provides adequate choice to the user. To be valid, consent must be freely given, specific and informed (following the UK GDPR definition). Consent must involve an unambiguous positive action, such as ticking a box– and the person must fully understand that they are giving consent.

Where there is friction between choosing 'allow all' or clicking through various layers, the ICO may view these as likely to infringe the 'fairness' and 'transparency' principles of the UK GDPR. These principles can be infringed where an OCA practice unfairly exploits a person’s biases or does not present information in a way that gives equal weight to the risks and benefits of a decision. Consent to process the data, as a result, is unlikely to be informed and would therefore breach the lawfulness requirement of the UK GDPR.

Are my cookies compliant?

In assessing if your cookies are complaint there are several questions to ask, these include:

• What cookies do you currently have and what category do they fall into?
• What is each cookie used for?
• What types of data are the cookies storing?
• Are your cookies processing personal information?
• Are you reducing friction between choices by making it equally easy to 'reject all' and 'accept all'?
• Is the information you are providing users about cookies accurate?

In the wake of the ICO's new approach and recent call out to the UK's top companies, it is now essential for all websites to comply with cookie regulation.

To understand how your site uses cookies and the potential risks of using them, it is recommended that a full cookie compliance audit is carried out to confirm whether your cookies meet the criteria set by the ICO. Our experts in the Commercial team would be happy to assist with this, so please get in touch.