As we heard at the ICO’s annual conference in October 2023, and many times before and since, the time for cookie enforcement is nigh – and it seems like right in time for Christmas a number of the UK’s most visited websites are facing fines unless they change their approach to cookies, making it crystal clear cookies are optional.
Then, on 21 November 2023, the ICO announced it had written to a number of organisations giving them 30 days to ensure their websites comply with the law. In rhetoric familiar to many CNIL decisions (for one such example see our article here) the ICO reiterated that “organisations must make it as easy for users to “Reject All” advertising cookies as it is to “Accept All””.
The ICO in its guidance to date has not explicitly expressed what it means by this but instead has given examples of suggested best practice as well as what not to do. It will be interesting to see how organisations who have received a letter interpret this. Also the ICO restates the fact that “[w]ebsites can still display adverts when users reject all tracking, but must not tailor these to the person browsing”. Could this be taken as a bit more of a green light for measurement?
At the end of its announcement the ICO has given a final shot across the bows by issuing a stark warning with respect to its plans to provide an update on this work in January 2024 and notably include “details of companies that have not addressed our concerns”. This means companies who do not adhere will not just be facing regulatory fines but also reputational risk.
The timing of this is certainly interesting given the overhaul to cookie compliance proposed in the reintroduced Data Protection and Digital Information Bill (for example there are proposals to significantly widen the current exceptions to the cookie consent requirement to include purposes that in the Government’s view “present a low risk to people’s privacy”) as well as the Government’s general push for users to make choices at browser level in the hope that cookie banners will soon be a thing of the past (remember the headlines such as “UK to Kill ‘Irritating’ Cookie Pop-Ups in Brexit Data Plan”?).
One change that will certainly focus the minds is the uplift in the maximum amount an organisation can be fined, increasing from the current £500,000 to bring it into line with UK GDPR fines, so £17.5 million or 4% of annual worldwide turnover. While this provision is not yet in force as the Bill is still making its way through Parliament, it is a clear indication of what the future holds for those found to be non-compliant.
If you would like to discuss these issues or have questions about online advertising in general, please get in touch with your usual Lewis Silkin contact who would be happy to help.
“Many of the biggest websites have got this right. We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences." Stephen Almond, ICO Executive Director of Regulatory Risk