Recent enforcement action by the ICO has websites reviewing their cookie compliance.
Almost every website uses cookies and other tracking technologies, however, not all websites give users the right to choose how cookies are used. Cookies are effectively "online identifiers" and in certain circumstances they will be used to process personal data. With 90% of people concerned about companies using their personal information without their permission (according to a 2022 ICO survey) its perhaps not surprising that supervisory bodies such as the Information Commissioner's Office ("ICO") are monitoring the use of cookies closely. This short article discusses the requirements placed on organisations using cookies, recent enforcement action by the ICO and potential issues with website design practices.
Cookie Requirements
Cookies are small text files downloaded onto user equipment (e.g., a laptop) when users visit a website. Cookies allow websites to recognise the user's device as well as access and store information about the user's website preferences and past actions (i.e., past websites the user has also accessed). The information obtained from a cookie can be used to personalise advertisements to suit user preferences, and therefore, cookies can be a great commercial asset. The use of cookies is governed by The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "Regulations"). Under the Regulations website providers are required to:
- inform users that cookies are present and set out the specific cookies being used;
- clearly and comprehensively explain the way the cookies work and why they are used (e.g. keep users signed in to their account); and
- obtain the user's consent to store a cookie on their device.
This information must be easily accessible for users, who need to understand the potential consequences of allowing a cookie to be downloaded onto their device. This means website providers should ensure the language and level of detail are appropriate for the website's audience.
User consent should comply with the consent requirements in Section 3(10) of the Data Protection Act 2018. These are:
- websites must be able to demonstrate valid consent;
- consent to cookies must be distinguishable from consent to another matter (e.g., terms and conditions);
- consent requests must be in an easily accessible format using plain language; and
- mechanisms should be present that allow users to withdraw consent.
ICO guidance on using cookies has clarified that consent must be informed and actively given. Specifically, website providers must ensure that users fully understand that their actions will result in specific cookies being set before proceeding to the website. Consent must involve a positive action from the user, such as ticking a box, and they should be able to disable/enable non-essential cookies at any point during their site visit. It is important to note that if a user rejects non-essential cookies, businesses can still display adverts to that user, but they cannot tailor these to the person browsing (e.g., using their name). Websites do not have to obtain consent to use "essential cookies", these are cookies that are strictly necessary to enable the website to function correctly.
Enforcement Notices
Despite these requirements, many websites fail to allow users to properly consent to whether cookies will be set. In the past weeks, the Information Commissioner has warned several UK websites that they will face enforcement action if they do not make changes to comply with the Regulations and data protection legislation. Specifically, the ICO targeted businesses that have made it more difficult for users to reject cookies whilst visiting their websites when compared with the users' ability to accept them. A study analysing 300 cookie consent notices found that all websites provided a one-click option to accept cookies, but only 15 websites provided a one-click deny option. The ICO has not named the businesses they contacted but has stated an update will be provided in January, which shall include the details of companies who have failed to address the ICO's concerns.
Website Design
The Competition and Market Authority ("CMA") and ICO have published a joint paper on Harmful Design in Digital Markets detailing their concerns about website design practices which negatively affect consumers and their right to control how their data is being used. Website design choices are crucial in a consumer's ability to fairly control their preferences, such as what cookies are set and how their data is tracked. For example, a website may only provide a single collective consent option to users for personal data processing, acceptance of the website terms and use of cookies. Businesses may do this for general aesthetic reasons and to minimise perceived user administration. However, even if the user can reverse these consents in their account settings, by bundling consents website providers increase the likelihood of users consenting to all the activities and reduce the consumers ability to meaningfully choose their preferences and to withdraw such preferences at a later stage.
The ICO consider it an infringement of data protection law if website design choices make it harder for users to choose more "privacy-friendly" options and influence consumers to make decisions that do not reflect their privacy preferences. Although many website providers use third-party contractors to design their websites, it is ultimately the provider's responsibility to ensure that the website complies with all relevant laws, including those relating to privacy and cookies. Providers can do this by taking the time to understand the requirements placed upon them and reflecting these in their instructions to website designers.
Our colleagues at Brodies have extensive experience advising on cookie policies, website pop-ups, and data protection issues more generally. If you would like to discuss anything raised in this blog, particularly cookie requirements under the relevant legislation, please get in touch.