ICO warning on advertising cookie compliance

Background on recent ICO communication on cookie compliance

The ICO recently published a warning for organisations that are proactively making use of advertising cookies to ensure they are continuing to comply with data protection laws. This follows a ‘call to action’ by the ICO in November 2023, warning several of the UK’s top websites using cookies that they would face enforcement action if they did not comply with existing data protection law.

Cookies are small pieces of information, normally consisting of just letters and numbers, which online services provide when users visit them. Software on the user's device, for instance a web browser, can store cookies and send them back to the website the next time they visit.

Advertising cookies and similar technologies are governed and regulated under the Privacy and Electronic Communications Regulations (PECR) and, insofar as cookies collect personal data, the UK GDPR as well. While the PECR requires opt-in consent for cookies or similar technologies, the UK GDPR provides detailed obligations around transparency and consent. For such consent to be valid, it must be provided through affirmative action (i.e., no pre-ticked boxes) and be preceded by the required transparency information.

The ICO noted the overwhelmingly positive response from the organisations contacted. The majority changed their cookie banners while a few others provided assurances that they would do so within a month. The ICO noted that several other organisations were working toward alternative solutions such as contextual advertising and subscription models.

What does this mean for your website and overall data protection compliance program?

The ICO expects that “all websites using advertising cookies or similar technologies to give people a fair choice over whether they consent to the use of such technologies.” In practice, this means that organisations must ensure that they comply with both PECR and the UK GDPR. The ICO has warned that organisations who fail to do so “can expect to face the consequences.”

The ICO has been very clear that it intends to inspect other websites in the UK for cookie compliance. “We will not stop with the top 100 websites,” the ICO’s press release states. “We are already preparing to write to the next 100 – and the 100 after that.”

Failing to meet current data protection legislative requirements may result in enforcement actions, including fines of up to 4% of global turnover or £17.5 million, the greater of (under the UK GDPR) and £500,000 (under the PECR), in addition to the reputational damage and potential loss of trust by users.

We would like to highlight, however, that penalties under the PECR are set to change under the Data Protection and Digital Information Bill, which would align thresholds with those of the UK GDPR. Namely, the maximum penalty will be raised to £17.5 million 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher.

For more information about proposed changes under the Data Protection and Digital Information Bill, please visit this article.

In light of the above, it may also be a good time to refresh your knowledge and visit the ICO’s cookie guidance.

If you have any queries or would like further information, please visit our data protection services section or contact Christopher Beveridge.