Expect stronger cookie law enforcement in 2024. ICO signals intent with increased regulatory scrutiny on the horizon. Updates to legislation and developments in technology will continue to influence how we experience the web.
A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website.
Cookies are used by many websites and can have several benefits when browsing the web, such as remembering your preferences, recording what you have put in your shopping basket, and providing you with personalised news content.
Many online websites and apps remain free because sites and apps make money through online advertising, which is often highly personalised to the individual user. From the point of view of many website developers, cookies are a vital part of selling the advertising on which they depend.
However, for some personalised advertising can feel intrusive. Cookie banners can feel like they appear at every corner of the web, often making it complicated to click anything but the “accept” button. Others have raised privacy-related concerns that third-party cookies and other identifiers make it possible to track individual’s activities across websites and apps, and that this data can then be shared widely with other companies. This has given rise to questions about whether cookies, and the laws that govern them, remain fit for purpose.
ICO takes a bite at non-compliance
The UK’s Information Commissioner’s Office (ICO) has issued multiple warnings stressing the need to comply with rules on cookie banners. This action is part of the ICO’s broader work to ensure that people’s rights are upheld by the online advertising industry. For example, the ICO’s joint position paper with the Competition and Markets Authority (CMA), Harmful design in digital markets: How online choice architecture practices can undermine consumer choice and control over personal information. This sets out the pitfalls of harmful design and gives advice on what organisations should be doing instead.
This increased attention was also exemplified in the ICO’s public letter in November 2023 to more than fifty of the UK’s most-visited websites, which informed some of them that their cookie banners may not be compliant with the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR).
In its letter, the ICO identified a number of concerns it had identified which would amount to breaches of UK GDPR and PECR, including that:
- Non-essential advertising cookies were placed without obtaining consent from users.
- Non-essential advertising cookies were placed before the user had the opportunity to provide consent.
- Users cannot reject non-essential advertising cookies as easily as they can accept them.
- Non-essential advertising cookies were placed despite the user opting to reject them.
The ICO has given the offending websites a month to improve compliance by obtaining prior consent to non-essential cookies and respecting individual’s choices in respect of placement of non-essential cookies.
The ICO has stated in the letter that the websites could face enforcement action unless they make it clearer that these cookies are optional. The ICO is also planning to publish the names of organisations that fail to take appropriate steps to address specific concerns raised by the ICO about their cookie banners.
Changes to the law are on the way
While the ICO has signalled its intention to take increasing action against non-compliance of the existing cookie legislation, organisations need to remain aware of additional updates in legislation that are on the horizon.
The UK’s Data Protection and Digital Information (No. 2) Bill (the Bill) is set to update the law on cookies. The government have stated that one of the aims of the Bill is to cut down on ‘user consent’ pop-ups and banners. The Bill therefore widens the scope in which websites can collect some types of information without consent. These include processing solely:
- for the purpose of analytics carried out with a view to improve the website or information society service (Regulation 6(2A));
- to enhance appearance or functionality, or to reflect user preferences about such appearance or functionality (Regulation 6(2B)); and
- to update software, or where the update is necessary for security purposes, provided that privacy settings are not altered and there is an ability for the user to disable or postpone the update, or to remove or disable the software (Regulation 6(2C)).
The Bill empowers the Secretary of State to make regulations that would require providers of certain (as yet unspecified) technologies to give users the ability to express their cookie consent preferences via alternative preference management systems (such as browser-based and device-based opt-outs).
The Bill updates the PECR enforcement regime to bring it in line with that of the UK GDPR and the Data Protection Act. This increases potential fines to UK GPDR levels – most breaches will attract the higher maximum penalty cap of £17,500,00 or 4% of annual worldwide turnover.
It will be interesting to see whether further updates will be made to the Bill prior to it passing into law, particularly with respect to maintaining harmonisation with other laws such as the EU’s planned ePrivacy Regulation. Commentators have questioned whether there will be appetite to change established practices in international organisations to account for nuances in the UK. Organisations subject to cookie requirements under other laws may still decide to collect consent for some of the activities above given the complexity of effectively deploying different consent collection approaches according to the relevant applicable laws.
Google to phase out third-party cookies
Google has begun to test what the web would look like without third-party tracking cookies for 1% of Chrome browser users, around 30 million people, in its latest step towards getting rid of the technology altogether. A new feature in the Chrome browser disables third-party cookies, which are cookies tracked by websites other than the one you are visiting. Third-party cookies are often used by the advertising industry to collect analytic data, personalise online ads and monitor browsing.
Google’s stated aim for moving away from third-party cookies is to help make the internet more private. However, stakeholders in the advertising industry have raised concerns that Google’s new Privacy Sandbox technologies won’t prove to be adequate replacements, and that the move could further cement Google’s dominance of the online advertising market.
Google plans to phase out third-party cookies for everyone using Google Chrome in the second half of 2024. However, this ambition is subject to addressing any remaining competition concerns from the CMA. So far Google has provided commitments to the CMA, which run for six years, to involve the CMA and ICO in working with Google during the development and testing of the new Privacy Sandbox proposals.
Like Google, other organisations are increasingly looking for alternative options for users to receive online services that may provide a choice between consenting to personalised advertising or paying for ad-free services. For example, in October 2023 Meta gave Facebook and Instagram users the choice between paying for an ad-free experience, or keeping the services free of charge using ads. This shows how large tech companies are having to change their business models to comply with regulatory developments and privacy concerns.
The future landscape of cookie regulation is likely to remain unsettled during 2024, with both technological changes and regulatory updates on the horizon.
If you would like to find out more information on how to improve your legal compliance for data protection and how to approach to cookies, please get in touch with our IT and data protection team.