Cookies and compliance: a winter warning for websites
19 December 2023
Background
This year, Santa Claus will not be alone in judging the quality of your cookies over the festive period, as the Information Commissioner’s Office (‘ICO’) has already warned a number of the UK’s biggest websites that they could face enforcement action for failing to comply with data protection laws. This includes the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) – the two primary regulations which govern the use of cookies in the UK.
In particular, the ICO has found that several websites do not provide users with a fair choice to opt out of tracking. Tracking is carried out by advertising cookies, which can lead to users being subjected to personalised advertising. This can be a cause for concern where, for example, an individual who may have a gambling addiction could be targeted with advertisements for betting platforms, based on their browsing history.
Some of the most popular UK websites have been given a 30-day window by the ICO to rectify their use of cookies so that they are in accordance with data protection laws before enforcement action may be taken.
How can I ensure that my website cookies comply with data protection laws?
The ICO’s key concern is that websites must make it equally as easy for users to reject all advertising cookies as it is to accept all advertising cookies. This is commonly seen in the form of cookie consent banners and pop-ups which prompt the user to ‘accept all’ or ‘reject all’ cookies.
The ICO has published guidance which may help to determine whether your cookie policy needs to be amended. The key takeaway from this guidance is that you must be clear and upfront with users about how cookies operate on your website. Specifically, user consent should be obtained by providing the user with clear information about what they are being asked to agree to in terms of allowing cookies. Obtaining user consent must involve a form of unambiguous positive action to opt-in to the use of advertising and other non-essential cookies.
Non-compliant cookies
As mentioned, companies that have received the ICO’s recent warning may face enforcement action if they cannot comply with data protection laws within the 30-day window. Enforcement could have significant financial consequences for offenders since fines under PECR can reach up to £500,000, and serious infringements of the data protection principles can reach up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
Aside from the potential financial consequences, businesses may also suffer reputational damage, as the ICO is planning to publish an update in January next year which will include details of the companies that have failed to address the ICO’s concerns.
The Birketts view
It is evident that the ICO is now being more proactive to try and ensure that UK websites are using cookies in accordance with data protection laws. This further emphasises the importance of reviewing any relevant cookie policies to check they are up to date and fit for purpose, as well as making it clear and simple for users to reject all non-essential cookies on your websites.
Following in the footsteps of Santa Claus, the ICO is making a list and checking it twice, so make sure your cookies are compliant and reserve your place on the ICO’s nice list this Christmas.
Services
Sectors
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at December 2023.