The Information Commissioner’s Office (ICO) has released important advice for businesses with an online presence, regarding cookies – a tool used to store users' information.
In June, the ICO announced that they will intervene if a business/organisation does not have a ‘reject all’ button on its top-level cookie banner.
Organisations using non-essential cookies on their website or app, such as marketing or performance cookies, must ask users whether they give consent for the operator to place cookies on the user's device.
The ICO states that the user must "take a clear and positive action to give their consent to non-essential cookies – continuing to use your website does not constitute valid consent".
If the cookie rules are breached there will be a maximum fine of £500,000, under the Privacy and Electronic Communications Regulations 2003.
The maximum fine may increase to £17.5m or 4% of worldwide annual turnover, whichever is higher. This depends if the government’s proposals in the Data Protection and Digital Information Bill are accepted.
The Bill also proposed to extend the list of exemptions when consent is not required in the UK before placing cookies on a user's device, such as statistical or preferences cookies.
Enforcement hasn’t been strictly applied across the board just yet, but the ICO warns this will become stricter. To avoid a fine, businesses need to ensure that they’re compliant with the cookie rules, by inserting a ‘reject all’ button in the top-level cookie banner.
The guidance also states that the use of any pre-ticked boxes or ‘on’ sliders for non-essential cookies would not meet the ICO's requirement.
Other non-compliant approaches include:
Useful guidance from the ICO can be found here.
The ICO issued another warning at a recent conference in early October, that businesses should expect the rules on cookie use to be enforced. The message is that “there have been enough warnings, enough clarity, it's clear enough what you have to do.”
Although there is pending legislation regarding the use of cookies, businesses should not see the gap between draft and final legislation as an excuse for non-compliance.
The draft Data Protection and Digital Information (No 2) Bill makes changes to the UK GDPR. This could mean that websites using tracking tools, such as Google Analytics and others, will no longer need to acquire user’s consent via banners. Users may be able to automate some types of consent within their browsers, rather than per site visited.
The new Bill, previously known as the Data Reform Bill, is intended to streamline existing regulation that can be irksome for businesses to comply with. It is expected to pass in mid-2024, according to discussion at the recent Data Protection Practitioners’ Conference.
Compliance with the current cookie rules can be achieved through cookie audits, cookie walls and requesting consent in the correct manner. Further guidance can be found on the ICO website.
If you need help staying compliant with data protection rules contact our Privacy & Data team for further information.