ICO admits its own cookie policy is non-compliant with GDPR

ICO logo

The organisation in charge of regulating UK data laws has confirmed it will be making changes to its cookie policy following complaints that its site was storing data without user consent.

The Information Commissioners Office has admitted that its current consent notice relating to the use of cookies on devices failed "to meet the required GDPR standard".

The issue relates to the automatic placing of cookies on a user's mobile device when accessing the ICO's website, which one complaint argued was in breach of the Privacy and Electronic Communications Regulations 2003, which sits alongside GDPR.

Article 6 of these regulations prohibits the storage of or access to information held on a user's device unless explicit consent is given, the argument being that because these cookies were used automatically, users were unable to reject their use.

In an email shared to Twitter, a spokesperson responding on behalf of the ICO's DPO said: "I acknowledge that the current cookies consent notice on our website doesn't meet the required GDPR standard."

"We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June."

The regulator has since confirmed this in an email to IT Pro.

Given upgrade work has largely gone unnoticed by the wider community, the admission that its policy was not compliant with GDPR has drawn the ire of industry experts that claim the watchdog is unable to follow its own advice.

A page explaining its approach to data gathering said the ICO relies on implied consent of users but that changes are being made to upgrade to the latest version of its Civic Cookie Tool, a tool that requires explicit consent by default, including non-necessary cookies. It's said that the latest version does offer provisions for the use of cookies on devices, but the watchdog has yet to upgrade.

A spokesperson for Civic UK confirmed to IT Pro that the planning and implementation of the tool had been left entirely to the ICO, and that the latest version would make the regulator compliant to GDPR cookie laws.

Carl Gottlieb, data protection officer for Hudl and Duolingo, told IT Pro that it was rare to see a regulator admit to its mistake, but that a lack of clear guidance on cookie laws is creating confusion across the industry.

"I believe it was in May 2018 that the ICO stated they would moving to the new version of the Civic cookie consent tool, but there has since been no evidence nor mention of this happening," said Gottlieb.

"It's unclear what infringement the ICO are admitting to here, and whether this is an official ICO stance or just one lone caseworker's opinion. It is certainly surprising to see a regulator openly apologise."

In an inspection by the European Data Protection Supervisor (EDPS) into the websites of ten major EU institutions and public bodies, it was found that seven contained data protection or privacy issues and were either non-compliant with the ePrivacy Directive or failed to follow EDPS guidelines. These included the websites for the European Data Protection Board, the body responsible for overseeing the implementation of GDPR across the EU, and the International Conference of Data Protection and Privacy Commissioners.

"At the heart of this issue is the lack of clear rules on cookie compliance," said Gottlieb. "For example, the ICO and the law firm FieldFisher both follow the EU 2012 opinion that anonymous Google Analytics does not require consent, but merely an opt-out. Potentially this opinion would be unchanged within the GDPR era."

"Unfortunately many are ignorant of this EU opinion or disagree with its merits and thus take a stricter line on compliance. We have a state of confusion amongst data protection experts which makes compliance a huge problem for anyone operating a website."

"The bigger problem is a lack of regulatory enforcement against cookie compliance breaches," added Gottlieb. "Until we see some action, website operators can continue to freely ignore the rules with no consequence."

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.