UK's cookie crumble: Data watchdog serves up tougher recipe for consent banners

The UK's Information Commissioner's Office (ICO) is getting tough on website design, insisting that opting out of cookies must be as simple as opting in.

At question are advertising cookies, where users should be able to "Accept All" advertising cookies or reject them. Users will still see adverts regardless of their selection, but rejecting advertising cookies means ads must not be tailored to the person browsing.

However, the ICO noted that: "Some websites do not give users fair choices over whether or not to be tracked for personalized advertising." This is despite guidance issued in August regarding harmful designs that can trick users into giving up more personal information than intended.

A few months on, the ICO has upped the ante. It has now given 30 days' notice to companies running many of the UK's most visited sites that they must comply with data protection regulations or face enforcement action.

Stephen Almond, ICO executive director of Regulatory Risk, said: "We've all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you've just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent.

He noted that while many companies are complying and making the choice simple and straightforward for users, "we're giving companies who haven't managed that yet a clear choice: make the changes now, or face the consequences."

The consequences will be financial. The Information Commissioner has the power to issue a monetary penalty to wrongdoers – up to £17.5 million or 4 percent of the annual worldwide turnover in the preceding financial year, whichever is higher.

• Watchdog bites back against blockage of $9M fine on US selfie-scraper Clearview AI
• UK data watchdog fines three text spammers for flouting electronic marketing rules
• UK tribunal agrees with Clearview AI – Brit data regulator has no jurisdiction
• Equifax scores £11.1M slap on wrist over 2017 mega breach

The ICO calls out cookie consent banners as a clear example of often harmful design. Its guidance says: "A website's cookie banner should make it as easy to reject non-essential cookies as it is to accept them.

"Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising."

Back in August, the ICO warned it would assess the cookie banners of the most visited websites in the UK and take action where it reckoned harmful design was affecting consumers.

Almond said: "Businesses should take note that if they deliberately and persistently choose to design their websites in an unfair and dishonest way, the ICO will not hesitate to take necessary enforcement action."

Cookie consent remains a hot topic for UK and EU lawmakers alike. The EU, for example, has a relatively clear stance on cookie consent – users should be offered a clear and unambiguous choice: yes or no. The ICO requires a similar approach.

However, the waters were muddied somewhat in 2022 by proposals to adopt an opt-out system in the UK. ®