The organisation in charge of regulating UK data laws has confirmed it will be making changes to its cookie policy following complaints that its site was storing data without user consent.
The Information Commissioners Office has admitted that its current consent notice relating to the use of cookies on devices failed "to meet the required GDPR standard".
The issue relates to the automatic placing of cookies on a user's mobile device when accessing the ICO's website, which one complaint argued was in breach of the Privacy and Electronic Communications Regulations 2003, which sits alongside GDPR.
Article 6 of these regulations prohibits the storage of or access to information held on a user's device unless explicit consent is given, the argument being that because these cookies were used automatically, users were unable to reject their use.
In an email shared to Twitter, a spokesperson responding on behalf of the ICO's DPO said: "I acknowledge that the current cookies consent notice on our website doesn't meet the required GDPR standard."
"We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June."
The regulator has since confirmed this in an email to IT Pro.
Given upgrade work has largely gone unnoticed by the wider community, the admission that its policy was not compliant with GDPR has drawn the ire of industry experts that claim the watchdog is unable to follow its own advice.
A page explaining its approach to data gathering said the ICO relies on implied consent of users but that changes are being made to upgrade to the latest version of its Civic Cookie Tool, a tool that requires explicit consent by default, including non-necessary cookies. It's said that the latest version does offer provisions for the use of cookies on devices, but the watchdog has yet to upgrade.
A spokesperson for Civic UK confirmed to IT Pro that the planning and implementation of the tool had been left entirely to the ICO, and that the latest version would make the regulator compliant to GDPR cookie laws.
Carl Gottlieb, data protection officer for Hudl and Duolingo, told IT Pro that it was rare to see a regulator admit to its mistake, but that a lack of clear guidance on cookie laws is creating confusion across the industry.
"I believe it was in May 2018 that the ICO stated they would moving to the new version of the Civic cookie consent tool, but there has since been no evidence nor mention of this happening," said Gottlieb.
"It's unclear what infringement the ICO are admitting to here, and whether this is an official ICO stance or just one lone caseworker's opinion. It is certainly surprising to see a regulator openly apologise."
In an inspection by the European Data Protection Supervisor (EDPS) into the websites of ten major EU institutions and public bodies, it was found that seven contained data protection or privacy issues and were either non-compliant with the ePrivacy Directive or failed to follow EDPS guidelines. These included the websites for the European Data Protection Board, the body responsible for overseeing the implementation of GDPR across the EU, and the International Conference of Data Protection and Privacy Commissioners.
"At the heart of this issue is the lack of clear rules on cookie compliance," said Gottlieb. "For example, the ICO and the law firm FieldFisher both follow the EU 2012 opinion that anonymous Google Analytics does not require consent, but merely an opt-out. Potentially this opinion would be unchanged within the GDPR era."
"Unfortunately many are ignorant of this EU opinion or disagree with its merits and thus take a stricter line on compliance. We have a state of confusion amongst data protection experts which makes compliance a huge problem for anyone operating a website."
"The bigger problem is a lack of regulatory enforcement against cookie compliance breaches," added Gottlieb. "Until we see some action, website operators can continue to freely ignore the rules with no consequence."
Bigger salaries, more burnout: Is the CISO role in crisis?
Cheap cyber crime kits can be bought on the dark web for less than $25
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloads
“Limited resources” scupper ICO probe into EasyJet breach
Surge in workplace monitoring prompts new ICO guidelines on employee privacy
TikTok could be hit with £27m fine for failing to protect children's privacy
What is AdTech and why is it at the heart of a regulation storm?
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
Clearview AI fined £7.5m over improper use of UK data
UK data watchdog cut IT spending by £1.2 million during pandemic
