Insights Cookies: UK Information Commissioner’s Office (“ICO”) issues warning


UK law relating to the use of cookies, set out in the Privacy and Electronic Communications Regulations 2003, provides that a person may not store information, or gain access to information stored, on a user’s or subscriber’s device unless they have provided clear and comprehensive information on the purposes of the storage or access, and they have given the user or subscriber the chance to refuse the storage or access. The ICO position is that actual consent is required to comply with the law and that UK GDPR standards for consent apply. This means that consent must be freely given, specific and informed and, whilst it does not need to be explicit, it must involve an unambiguous positive action. There is an exception for cookies that are essential to provide an online service at someone’s request (e.g. to remember what’s in their online basket, or to ensure security in online banking). As cookies can store information about user’s preferences or past actions online, they can be used to deliver personalised advertising.

On 21 November, the ICO announced that it has warned some of the UK’s most visited websites that they face enforcement action as they are not giving users fair choices over whether to be tracked for personalised ads. The announcement refers to the August 2023 Paper, published by the ICO and the Competition & Markets Authority, on Harmful Design in Digital Markets which highlighted website practices (“nudges”) that encourage users to consent to non-essential cookies in permission pop-ups by failing to make it as easy to refuse cookies as to accept them, and the problems that can arise with bundled and default consents. Such practices are likely to breach the law.

The ICO states that many people are concerned by use of their data to target them with ads without consent which in some cases can cause harm or distress (e.g. problem gamblers being targeted with betting offers).

The websites have 30 days to comply and the ICO states that it will provide an update on this work in January which will include details of the companies that have not addressed the ICO’s concerns.

For more information, click here.