Crackdown on consent for cookies is coming
◆ Regulator is set to adopt a tougher approach, warns Laura Irvine
Cookies and similar technologies, like tracking pixels, allow websites and apps to access information on computers, mobile phones and other electronic devices. They provide analytics about who is viewing and interacting with webpages, helping the owner to better personalise the user experience and analyse what is working.
Information obtained from cookies also presents a serious risk as it can be used by third parties to build detailed individual profiles which feed algorithms to manipulate our behaviour for commercial and political means.
The law relating to cookies and other tracking tools is found in the Privacy and Electronic Communications Regulations (PECR). These say a website operator shouldn’t store or gain access to information on a user’ s device unless it’ s been clearly explained how such information will be collected, used and shared. It also requires the user to provide consent for this information to be used.
Consent must be freely given, not implied or assumed or obtained by tricks or nudges. While essential cookies, which enable a website to function correctly, do not require consent, they must be critical for its operation.
In 2019, the Information Commissioner’s Office (ICO) issued guidance stating that cookie banners used on many websites, platforms, and apps were not fit for purpose as they didn’ t obtain the required consent for placing non-essential cookies. However, it took the U km ore than four years to act on this issue. Last August the ICO published further guidance stating that a website’s cookie banner should“make it as easy to reject non-essential cookies as it is to accept them” and promised action against those who do not comply.
The UK Government’s Data Protection and Digital Information Bill is proposing to allow analytics cookies to be deployed without consent, but only where information is used by the website operator and not third parties. The Bill also introduces higher fines for non-compliance with PECRS, increasing the maximum fine from £0.5m to £17.5m.
Website operators should ensure users can reject cookies as easily as they can accept them. While some websites continue to rely on legitimate interests to deploy cookies, this is not lawful and will be another area of focus for the regulator.
While the ICO has yet to take regulatory action for cookie breaches, European supervisory authorities have been more active. In 2023, France’s regulator CNIL fined Tiktok €5m for requiring users to select multiple options to reject cookies but only one to accept. A year earlier, CNIL also fined Microsoft Ireland €60m for failing to provide an easy option to reject cookies on bing.com. CNIL also found user information was being used for advertising purposes without consent.
We are already seeing strong evidence of a tougher ICO approach to non-compliance. It reported that 38 of 53 organisations it recently contacted have updated cookie banners to ensure they are compliant with its 2019 guidance.
In a blog posted in January, the ICO set out its intentions, saying it had monitored the top 100 websites and was preparing to contact the next 100 as well as the 100 after that. This new vigour means that website operators of all sizes must ensure they are compliant with laws governing cookies or face significant penalties.