The UK’s Information Commissioner’s Office (ICO) has warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies.
The ICO said that some are failing to give users a clear choice about whether they want to opt-in to personalized advertising, and make it just as easy to 'reject all' as to 'accept all'.
While websites can still display adverts when users reject all tracking, they must not tailor these ads to the person browsing.
Stephen Almond, ICO executive director for regulatory risk issued a warning to websites that consistently fail on cookie consent, adding that the regulator will clamp down on those who don’t comply.
"We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent,” he said.
"Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation."
Without naming names, the ICO said it has written to companies running some of the UK’s most-visited websites to voice concerns about their cookie consent policies.
The regulator has given them 30 days to ensure their websites comply with current legislation on the matter.
"Many of the biggest websites have got this right," said Almond. "We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences."
The ICO said it will provide an update on progress in January. For organizations that are still to comply, it will provide the public with details.
Cookie consent crackdown
The move follows a warning earlier this summer in which the ICO began assessing cookie consent banners. The regulator said at the time it would take action against those who don’t comply.
While the legal requirement for cookie banners derives from the GDPR, the UK's departure from the EU hasn't yet led to any change in the rules.
Companies are required to gain explicit consent from users before using marketing cookies or trackers, and the buttons used for this must make it at least as easy to deny as to consent.
In the EU, rules are similar, although there's no clear rule that 'reject all' must appear at the same time, and be as easy to choose as 'accept all'.
RELATED RESOURCE
Discover how Telefónica Tech helps NHS Trusts meet the mandate for operational EPR systems
DOWNLOAD NOW
Different countries within the union have slightly different policies. Austria and Spain, for example, require a 'reject all' button in the first layer of the consent process while Germany does not.
Earlier this month, the European Data Protection Board (EDPB) published new guidelines on the use of cookies, clarifying which tracking techniques are covered.
"These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented," said EDPB chair Anu Talus.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
