Briefing

ICO Issues Warning To Organisations To Make Advertising Cookies Compliant With Data Protection Law

In November 2023, the Information Commissioner’s Office (the ICO) wrote to some of the UK’s top websites to warn them that they may face enforcement action unless they made their cookie banners compliant with data protection law.¹

The ICO is concerned that some websites do not provide users with “fair choices” about the use of advertising cookies. On 31 January 2024, the ICO provided an update on its November call to action and issued a further warning to organisations to make advertising cookies compliant with data protection law.

The ICO’s warnings

In November 2023, the ICO wrote to 53 of the UK’s top 100 websites² with concerns that their cookie banners were not compliant with the rules on advertising cookies. These are cookies which enable the website to track a user’s browsing in order to provide personalised advertising. The ICO warned the websites that they had one month to make their cookie banners compliant with data protection law or they risked facing enforcement action.

On 31 January 2024, the ICO provided an update on the response to its November call to action. Of the 53 organisations contacted by the ICO:

• 38 organisations had amended their cookie banners to be compliant with data protection law;
• 4 organisations had committed to reach compliance “within the next month”; and
• Other organisations were working to develop alternative solutions, including “contextual advertising and subscription models”. The ICO stated that it “will provide further clarity on how [contextual advertising and subscription] models can be implemented in compliance with data protection law in the next month”.³

The ICO’s warnings are part of its work to ensure that users’ rights are upheld by the online advertising industry. Stephen Almond, ICO Executive Director of Regulatory Risk, stated that ICO “research shows that many people are concerned about companies using their personal information to target them with ads without their consent”.⁴

Stephen Almond stated that the ICO “will not stop with the top 100 websites. We are already preparing to write to the next 100 – and the 100 after that”. Accordingly, the ICO warned organisations to make advertising cookies compliant with data protection law before the ICO “comes knocking”.

In order to accelerate its efforts in ensuring compliance with data protection law, the ICO is developing an AI solution which will help to identify websites that use non-compliant cookie banners.

What are the rules on cookies?

Cookies are small text files that are downloaded onto terminal equipment (e.g. a computer or smartphone) when a user accesses a website. Cookies are typically used to make a website perform more efficiently and to personalise the website for the user, for example, by storing information about the user’s preferences.

The rules on cookies are set out in Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The rules do not apply to: (a) cookies that are “for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network”⁵(the communication exemption); or (b) cookies that are “strictly necessary for the provision of an information society service⁶ requested by the subscriber or user”⁷ (such strictly necessary cookies are referred to as ‘essential cookies’ in this briefing).

The communication exemption concerns the transmission of a communication over an electronic communications network. For a communication to take place over a network between two parties, there must be: (1) the ability to route information over a network, by identifying the communication ‘endpoints’ (i.e. devices that accept communications across that network); (2) the ability to exchange data items in their intended order; and (3) the ability to detect transmission errors or data loss. The communication exemption includes cookies that fulfil at least one of these functions and that are for the sole purpose of the transmission. In other words, the “transmission of the communication must be impossible without the use of the cookie”.⁸

Essential cookies are necessary for the operation of a website, for example, cookies that remember the goods which a user has placed in their online shopping basket. Essential cookies do not include cookies which are merely helpful or convenient, for example, advertising cookies or cookies that count the number of visits to a website. The exception for essential cookies which do not require consent is likely to apply almost exclusively to session cookies, i.e. a cookie that lasts only for the session, and first-party cookies, i.e. a cookie created and stored by the website being visited directly.

The ICO’s warnings focused on advertising cookies. However, its comments are applicable to all non-essential cookies and cookies that are not covered by the communication exemption.

If using such cookies, the organisation must: (a) inform users that the cookies are there; (b) explain what the cookies are doing and why; and (c) obtain the user’s consent to store cookies on their device.⁹ The information provided to the user must be “clear and comprehensive”. This requirement is typically complied with by including a cookie policy on the website which provides information about the cookies used. The ICO states that it is good practice to provide users with information about all cookies, including essential cookies and those covered by the communication exemption, even though technically this is not required for cookies which are essential or covered by the communication exemption.¹⁰

PECR does not provide a definition of consent. The applicable definition of consent is that set out in Article 4(11) of the UK GDPR. This states that “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The requirement to obtain consent is typically complied with by including a cookie banner which contains a link to the cookie policy and asks users whether they consent to the use of cookies, except cookies which are essential for the operation of the website and cookies which are covered by the communication exemption. Stephen Bonner, the Deputy Commissioner of the ICO, stated in June 2023 that if a company does not have a ‘reject all’ button in its cookie banner, then it is “breaking the law”.

The Data Protection and Digital Information Bill (the Bill), which is currently at the House of Lords Committee stage, if enacted, would extend the range of exemptions from the requirement in PECR to obtain the prior consent of the user to the use of non-essential cookies and cookies which are not covered by the communication exemption. For example, an organisation would no longer need to obtain consent where the cookies are for the purpose of collecting statistical information about a service in order to improve that service. The Bill also includes powers for the Secretary of State to introduce regulations which would allow consent to cookies to be given automatically via browser settings in the future.¹¹

The Bill proposes to increase fines for failing to comply with PECR from £500,000 to a maximum of €20 million or 4% of total annual worldwide turnover.

What must organisations do to ensure that their websites are compliant with the rules on cookies?

In order to comply with the rules on cookies, organisations must:

1. Provide “clear and comprehensive” information about the use of cookies, including their purpose. Organisations should ensure that their website has a cookie policy which addresses these points.
2. Obtain users’ consent to the use of non-essential cookies and cookies which are not covered by the communication exemption. Organisations should ensure that they have a cookie banner which includes a link to their cookie policy and asks users whether they consent to the use of such cookies. The cookie banner should contain a ‘reject all’ cookies button which is as prominent as the option to accept cookies. The ICO has stated that users should be able to reject non-essential cookies and cookies that are not covered by the communication exemption as easily as they can accept them. In addition, the cookie banner cannot use pre-ticked boxes or sliders pre-set to ‘on’. Organisations must not place cookies, or process personal data using those cookies, without first obtaining valid consent from the user.
3. Ensure that they do not place non-essential cookies or cookies that are not covered by the communication exemption on the website homepage as they must first obtain the user’s consent to the use of such cookies.
4. If users reject the use of non-essential cookies or cookies that are not covered by the communication exemption, ensure that they do not place such cookies on the user’s device. Adverts can still be displayed on the website, but these must not be tailored to the user’s browsing.
5. If using third-party cookies, inform the user who the third parties are and explain what the third parties will do with the information. A third-party cookie is a cookie set by a party which is not the operator of the website that the user is visiting, for example, an advertiser.

Next steps

Organisations with a UK website or targeting UK customers should review how their website uses cookies and their cookie banners. They should ensure that they have an adequate cookie policy and that their cookie banner complies with the cookie rules. If they fail to do so, they may be subject to enforcement action by the ICO, including significant fines.

Footnotes

1. Commissioner warns UK’s top websites to make cookie changes | ICO
2. The top 100 websites were determined based on the active time spent by UK users on the websites in May 2023: cookie-banner-concerns.pdf (ico.org.uk).
3. ICO warns organisations to proactively make advertising cookies compliant after positive response to November call to action | ICO
4. Commissioner warns UK’s top websites to make cookie changes | ICO
5. PECR, Article 6(4)(a)
6. An information society service is a service delivered over the internet.
7. PECR, Article 6(4)(b)
8. What are the rules on cookies and similar technologies? | ICO
9. Cookies and similar technologies | ICO
10. Cookies and similar technologies | ICO
11. The European Commission has proposed an ePrivacy Regulation which, if enacted, would simplify the EU rules on cookies: Proposal for an ePrivacy Regulation | Shaping Europe’s digital future (europa.eu). The rules will be “more user-friendly as browser settings will provide an easy way to accept or refuse tracking cookies and other identifiers”. Additionally, no consent would be needed for “non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors”. The Commission adopted its proposal for the ePrivacy Regulation in 2017 and trilogues began on 20 May 2021. These are interinstitutional negotiations between the European Commission, the European Parliament and the Council of Ministers: Carriages preview | Legislative Train Schedule (europa.eu).

Download file as PDF