Advertising Cookies and Threat of ICO Enforcement Action
Published: February 1st, 2024
7 min read
The ICO (Information Commissioners Office) has warned this week that it will take enforcement action against organisations using advertising cookies on website without consent of users. This follows an earlier announcement at the end of last year, where the ICO wrote to organisations running the UK's top websites and gave them a period of 30 days to ensure that the cookie banners on their websites are legally compliant.
A copy of the announcement made by the ICO is available to view here.
Background
Targeting and advertising cookies are designed to track your online activity and deliver personalised advertisements to you. The use of cookies is governed by the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK General Data Protection Regulation (UK GDPR).
The rules set out in PECR and the UK GDPR mean that when using targeting and advertising cookies:
The user must take a clear and positive action to give their consent (continuing to use the website will not constitute valid consent);
You must inform users about what cookies your website uses and what they do, before the user consents to them being set;
If you use third party cookies, you must specifically name the third parties;
Pre-ticked boxes or sliders already set to 'accept' will not constitute valid consent; and
They must not appear on your landing page or start running before a user has consented to the use of cookies.
ICO Enforcement Action
Back in November 2023, the ICO wrote to the UK's top websites to warn that it had a concerns about the use of advertising cookies on their websites. This included advertising cookies being used on websites without consent, advertising cookies being placed on users before they were given the opportunity to consent and users being unable to reject advertising cookies as easily as they can accept them.
The ICO gave these organisations one month to bring their website's cookie banner into compliance with the requirements of PECR and the UK GDPR. It warned that failure to do so may result in regulatory action.
The ICO has now announced that it is expanding its work to cover a wider range of websites and will be deploying an AI solution to help identify websites using non-compliant cookies banners. Therefore, organisations should be proactive and review their cookies banner to ensure that they are legally compliant.
Analysis
The ICO has received complaints for years about harmful tracking and advertising cookies, for example in cases where self-harm may be promoted and has come under pressure to take action against the UK's top websites where there has often been a complete disregard for the law. Organisations should now being reviewing their cookie banners to ensure that they are legally compliant.