ICO fingered for breaching GDPR over cookie cock-up

anger1The Information Commissioner’s Office has been forced to give itself a bollocking after admitting that its own website cookies are in breach of GDPR as they store users’ data without consent.
The issue was sparked when one eagle-eyed user noticed that the ICO website was automatically placing cookies on mobile devices when visitors accessed the site.
The user then rifled off a complaint to the regulator, arguing that the ICO was in breach of the Article 6 of the Privacy & Electronic Communications Regulations 2003.
PECR – which sits alongside GDPR – prohibits the storage of, or access to, information held on a user’s device unless explicit consent is given. The complainant argued that because these cookies were used automatically, users were unable to reject their use.
A webpage explaining the ICO’s approach to data gathering said it relies on implied consent of users but that changes are being made to upgrade to the latest version of its Civic Cookie Tool, a tool that requires explicit consent by default, including non-necessary cookies. Civic UK has confirmed that the planning and implementation of the tool had been left entirely to the ICO.
The data protection community has gone into overdrive on Twitter after Mishcon de Reya commercial and data protection partner Adam Rose shared the ICO’s response to the complaint.
An ICO spokesman, who tweeted on behalf of the regulator’s data protection officer, wrote: “I acknowledge that the current cookies consent notice on our website doesn’t meet the required GDPR standard.
“We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June.”
Rose responded: “A remarkable admission from [the ICO] – its cookies consent process has been wrong and it’s being urgently changed. [In fact, it’s probably not been to the required standard since 2011.]”
Simon Jones, the founder and MD of Studio 24, replied: “Given the amount of effort some people go to to comply, it’s deeply ironic that [the ICO] are lacking in their cookie policy. I see they use a tool for this. Are there any tools that actually meet current best practices?
Meanwhile, Scott Sammons, owner of information governance firm Lighthouse IG, posted: “They have always done that. Do as we say not do as we do. They did it before with the first cookie banner they launched. They did it with the ‘policy document’ under UK DPA18. To name just 2!”
When the cookie law was first introduced in 2012 – following a year’s grace – the ICO was adamant that explicit consent was the best practice. This required users to tick a consent box before proceeding. But a year later, it said “implied consent” was allowed, which just requires a simple statement on the site, with a link to advice on how to stop cookies.

Related stories
ICO ‘failings’ exposed as most probes come to nothing
ICO reveals it has 10,000 data breach cases to probe
‘GDPR experts’ in the dock over dubious legal advice
Have companies done enough to comply with GDPR?
ICO demands shake-up of unworkable EU cookie law
‘Simple’ cookies consent now rules
Top UK sites get cookie ultimatum