UK ICO issues clear warning over cookie policies

Pending legislation has prompted the UK ICO to warn it is preparing to enforce requirements for cookies compliance.

On November 21, 2023, the UK Information Commissioner’s Office (ICO) issued a warning of potential enforcement actions against some of the UK’s top websites if they fail to make swift changes for cookies compliance in line with UK privacy laws.

The ICO’s 30-day ultimatums follow on from investigations undertaken at the start of November in to whether the websites concerned were providing users with fair choices over the use of cookies for tracking/personalized advertising. In line with its previous blog post from August 2023, the ICO has reiterated the need to make it as easy to “Reject All” advertising cookies as it is to “Accept All” at the top of a cookie banner.

ICO focus

More specifically, the ICO’s investigations focused in on whether:

  1. non-essential advertising cookies are placed before the user has the opportunity to provide consent;
  2. users can reject non-essential advertising cookies as easily as they can accept them;
  3. non-essential advertising cookies are placed even if the user did not consent to such cookies.

With the ICO set to revisit the position in January, several businesses face an immediate threat of enforcement. But, more broadly, these recent investigations and threats of enforcement action should serve as a call to action for many more website operators.

This is the ICO sending a warning shot, emphasising the need for other website operators to get to grips with the up-to-date view of cookie consent requirements, and update their approach to align with it; particularly with the landscape on fines/enforcement set to shift with the pending Data Protection and Digital Information Bill (DPDI Bill/the Bill).   

What should I do?

  1. Ensure you understand what cookies (and similar technologies) you are using. This is likely to require a cookies audit (particularly if one has not been undertaken recently) to review existing practices, check and validate the customer journey and related cookies policies which may be out of date. Any such review should, where necessary, include the following additional areas:
    • Evaluate cookies banners and preference centres. Enhance user experience by providing clear and accessible information and user choices.
    • Ensure explicit user consent is secured for non-essential cookies. The ICO emphasizes the inadequacy of passive actions, such as continuing to use a website.
    • Where appropriate, implement a “reject all” button on top-level cookie banners. For enhanced user control and compliance with ICO expectations.
  2. Stay informed on regulatory changes. Anticipate shifts in enforcement, fines, and potential flexibility in cookies compliance from the future DPDI Bill. The Bill is expected to introduce additional flexibility for analytics cookies (see below), but brace for a more vigilant regulatory landscape with increased fines
  3. Implement Robust Internal Review Processes. Integrate cookies compliance into the fabric of new website and app development projects. Ensure a proactive and sustainable approach rather than intermittent/one off audit events

What will the DPDI Bill change?

The impending DPDI Bill announced in the King’s Speech carried over the Data Protection and Digital Information (No.2) Bill, which was introduced in its current form in June 2023, to the next Parliamentary session. 

As reported previously, we can expect significant changes on fines, including stricter enforcement and an increased upper limit of £17.5m ($2.2m) or 4% of global annual turnover.

There may also be some flexibility to look forward to for UK website operators, in the form of relaxation of consent requirements for analytics cookies and similar technologies. However, this flexibility may not be so helpful for multinational websites with a combined UK/EU coverage, as a divergence between UK and EU approach here may necessitate website/systems redesign to handle the UK and EU requirements separately.

The UK regulator is not alone in focusing on cookies consents and notice requirements. It has become a topic of focus for regulators and litigation claims in the EU, US and elsewhere around the globe. So those operating websites internationally have even more reason to re-assess historic approaches.

Paula Barrett, a partner in the London office, co-leads the global cybersecurity and privacy practice. Dave Hughes is a partner and Jonathan Palmer is a senior associate in the same team.