UK regulator fires warning shot on cookie compliance
Letter sent to 53 major sites
Data protection watchdog the Information Commissioner’s Office (ICO) has ordered organisations failing to comply with cookie rules to clean up their act or face enforcement action.
The ICO assessed the top 100 UK sites and found that 53 appeared to be non-compliant with the cookie rules set out in the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR. It sent those organisations a warning letter, which it published at the end of last year following a FOI request by technology lawyer and founder of law firm decoded.legal, Neil Brown.
It said that consent was often not properly obtained before dropping non-essential cookies, with no easy way for users to reject them, and that some sites were ignoring cookie refusals entirely.
The regulator warned that it could take action in regard to these suspected infringements unless steps were taken to address its concerns within one month of the letter, which was dated 15th November.
The regulation of cookies and the mechanisms by which users consent to them has been a contentious issue ever since the arrival of the EU GDPR in 2018. The irritating cookie opt-out pop-ups are the result of an industry pushback against initial drafts of legislation.
In fact, the regulation clearly states that consent must be freely given, specific, informed and unambiguous. This means there must be a clear affirmative action by the user to opt-in to cookies, and that pre-ticked boxes, default settings, inactivity or silence cannot be used to imply consent.
PECR imposes additional restrictions with respect to the use of cookies and their storage on users' devices.
Nevertheless, many websites have implemented workarounds to these rules in order to continue tracking and profiling users, including "legitimate interest" grounds, which in most cases are not lawful, and deeming some cookies "essential" without explaining why.
In view of the weak enforcement of data protection and privacy legislation by regulators, this approach of giving the appearance of compliance without actually complying is perhaps understandable.
However, said Brown, the letter marks a shift in the ICO's approach and a signal that it is taking the issue more seriously, and represents a "warning shot for organisations still playing fast and loose with the UK's rules on cookies."
"It offers organisations a chance to put things right, rather than imposing immediate enforcement action, but it is the firmest action that the ICO has taken on cookies to date," he told Computing. "It will be interesting to see if enforcement follows for organisations which remain non-compliant."
The organisations identified by the ICO that fail to act face being named publicly or hit with fines.
"UK organisations might be sensible to make a New Year's resolution of ensuring that their websites are getting proper, GDPR-standard, consent for cookies which are not strictly necessary," added Brown.
In a jointly written blog post in August, officials from the ICO and UK government's Digital Markets Unit, confirmed that a website's cookie banner should ensure that declining non-essential cookies is just as easy as consenting to their use.