ICO issues warning to websites over cookie consent policies

Concerns expressed that some websites are not providing users with a clear choice regarding personalised ads

The Information Commissioners Office has issued a stern warning to websites that fail to comply with cookie consent policies, threatening harsh penalties and public naming. The ICO expressed concerns that some websites are not providing users with a clear choice regarding personalised advertising consent, making it equally convenient to 'reject all' as to 'accept all'.

While websites can still display ads even when users reject tracking, the ICO emphasized that such ads should not be tailored to the individual's browsing history. Stephen Almond, the ICO executive director for regulatory risk, cautioned websites that consistently fall short on cookie consent, stating that non-compliant sites will face regulatory action.

Almond highlighted the intrusive nature of targeted ads based on personal information, citing examples such as gambling addicts receiving betting offers, women encountering ads for baby equipment after a miscarriage and individuals facing ads disclosing their sexual orientation during exploration.

The ICO, without disclosing specific names, revealed that it has communicated with companies running some of the UK's most-visited websites regarding concerns over their cookie consent policies. These companies have been given a 30-day ultimatum to bring their websites in line with current legislation.

"We've all been surprised to see adverts online that seem designed specifically for us - an ad for a hotel when you've just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent," Almond commented.

The ICO previously signaled a crackdown on cookie consent earlier this summer, initiating assessments of cookie consent banners and pledging action against non-compliance. Despite the UK's departure from the EU, the legal requirements for cookie banners, originating from the GDPR, remain unchanged.

Companies are mandated to obtain explicit consent from users before employing marketing cookies or trackers, with buttons ensuring it is as easy to deny consent as it is to grant it. The ICO plans to provide an update on compliance progress in January, with details of non-compliant organisations made public.

The European Data Protection Board (EDPB) recently released guidelines on cookie use clarifying covered tracking techniques. These guidelines aim to prevent circumvention of consent obligations, addressing methods like tracking links, pixels, local processing, and unique identifiers.