UK businesses have been warned they could face fines if they persist in flouting the law on how they operate online cookies, in a renewed clampdown on what is often seen as one of the most confusing pieces of data protection legislation.
The timing of the move, revealed by Deputy Information Commissioner Stephen Bonner in a media interview, is strange to say the least as there are plans to overhaul what ministers insist are “annoying cookies” in the Data Protection & Digital Information (No.2) Bill, currently before Parliament.
Bonner suggests that failing to have a “reject all” button on a cookie banner will be a breach of the Privacy & Electronic Communications Regulations (PECR), and that there is “no excuse” for not having one, adding that the ICO’s position is “pretty straightforward and robust”.
In response, the ICO has released a statement which reads: “Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookie banners breach the law, it will seriously consider using the full range of its powers, including fines.”
Ironically, in 2019, the ICO was forced to give itself a bollocking after admitting that its own website cookies were in breach of GDPR by storing users’ data without consent. The issue was sparked when one eagle-eyed user noticed that the ICO website was automatically placing cookies on mobile devices when visitors accessed the site.
The current law states that the only cookies that can be placed on website visitors’ devices without consent are those that are “strictly necessary” for the site to operate.
To place any others the website must seek the visitors’ consent, which is defined as “a freely given, specific, informed and unambiguous indication of the [person’s] wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement”.
It is understood that since the law was introduced, the ICO has yet to take any enforcement action on cookies.
However, Mishcon de Reya senior data protection specialist Jon Baines said: “Companies should, in order to comply with the law, but particularly in light of the ICO’s regulatory warnings, review how they use cookies and how they present cookie banners. They should also keep this under review, given the likelihood that the law will be changing soon.”
Related stories
Data reform law ‘on track’ to be passed by the autumn
£4.7bn data reform cost savings branded pie in the sky
Privacy organisations fume at ‘weakened data laws’
It was us wot won it: DMA claims Data Bill success
Govt keeps ‘best of GDPR’ as data reforms are revised
Where will we be in 2023… with data privacy reform?
ICO drops data bombshell as cookie law is overhauled
ICO fingered for breaching GDPR over cookie cock-up
ICO ‘failings’ exposed as most probes come to nothing
