The UK Information Commissioner has warned some of the UK’s top websites that if they don’t offer users fair choices over cookie use, as required by data protection law, they will face enforcement action.
Guidance Not Being Followed The Information Commissioner argues that although it has previously issued clear guidance that organisations must make it as easy for users to “Reject All” advertising cookies as it is to “Accept All,” this guidance is still not being followed in many cases. The Issue The issue is that people are concerned about companies using their personal information to target them with ads without their consent. However, some cookies used by websites track users so that they can serve personalised advertising to the user based on their browsing. Therefore, the ICO says that websites must clearly give users the opportunity to reject (or accept / consent to) these types of cookies in order to be compliant with data protection laws. Stephen Almond, ICO Executive Director of Regulatory Risk, has given examples on the ICO website, of ways that website users can be negatively affected if the top websites they visit aren’t compliant in this way. Mr Almond says: “Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation.” Only 30 Days To Comply The ICO says that it has therefore written to companies running many of the UK’s most visited websites setting out its concerns and giving them 30 days to ensure their websites comply with the law. Previous Warning This latest announcement follows a warning and a paper outlining guidance issued back in August. At the time, the ICO warned designers and developers to stop using harmful design practices that could: “Undermine people’s control over their personal information and lead to worse consumer and competition outcomes.” Legislation Changes Concerning The current regulations relating to cookie usage are split between General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR). The PECR (known as the “cookie law”) led to the introduction of cookie consent pop-ups on websites. Concerns Over New Bill However, a new data protection and digital information bill is on the way which has concerned privacy groups because: – It will mean fewer cookie consent pop-ups. – It will allow some websites to collect information (to improve service and security) without consent. – It will give ministers the power to add new exceptions to cookie consent requirements. What Does This Mean For Your Business? As the ICO’s Stephen Almond says, “many of the biggest websites have got this right” yet it appears that the Information Commissioner has now run out of patience with companies that haven’t yet decided (for whatever reason) to get to grips with and comply with data privacy regulations.The ICO’s warning to the UK’s top websites about cookie consent has significant implications for businesses, especially those with high online traffic. This move signals an increased urgency for these websites to comply with data protection laws – 30 days isn’t a long time for big companies to comply, although some would argue they’ve had years already to do so. Emphasising the need for fair-use, transparancy and user-friendly cookie consent mechanisms is, therefore, the drive behind the Information Commissioner’s latest ultimatum with the focus on high-traffic sites. This seems to indicate that businesses with larger user bases now face greater scrutiny, and compliance may now be not only a legal necessity but also crucial for maintaining user trust and brand reputation. The ICO’s announcement serves as a stark reminder for all businesses about the importance of adhering to data protection regulations. This includes staying informed about impending legislative changes that could affect cookie consent and data collection practices (remember, the new bill will see ministers able to make changes to cookie exceptions). For web designers and developers, this latest announcement underscores the need to prioritise user privacy in their designs, moving away from methods that subtly coerce users into accepting cookies. With public concern over the use of personal data in advertising, this story is a reminder that businesses must be transparent in their cookie usage and provide clear consent options and that this approach is vital in enhancing the trustworthiness of the site. Overall, the ICO’s warning highlights the necessity for a comprehensive and proactive approach to data privacy and protection, urging businesses to not only comply with current laws but also prepare for future changes in legislation and public expectations.