Insights ICO warning to websites on Cookie Consent; an indirect caution to gambling operators?

In a move that may have considerable implications for gambling operators, the Information Commissioner’s Office (ICO) issued a significant warning to several top UK websites on 21 November 2023. The ICO has raised concerns on their non-compliance with the UK data protection laws regarding cookie consent practices, suggesting the websites fail to provide users with a clear and fair choice to either accept or reject personalised advertising. Under UK law, companies must obtain user consent for the use of non-essential cookies and provide users with clear information on why cookies are used as outlined in the Privacy and Electronic Communications (EC Directive Regulations 2003 (PECR). For consent to be valid it must comply with the standards set out in the UK GDPR: it must be freely given, specific, informed, and unambiguous, given by a clear affirmative action. The ICO’s focus on protecting vulnerable groups, notably in the gambling sector, underlines the need for gambling operators to ensure that their consent mechanisms for non-essential cookies comply with the PECR and UK GDPR standards.

The ICO has given these companies 30 days to rectify their websites and make them compliant with current legislation. Failure to do so will likely result in enforcement action. Although the specific details of enforcement action have not been outlined, the ICO has made it clear that it is prepared to publicly name the companies which fail to rectify their breach. This signals a notable shift in the ICO’s approach. Unlike EU regulators (most notably the CNIL in France), the ICO has refrained from taking enforcement action relating to non-compliant cookie consent practices since GDPR/UK GDPR came into force. However, this latest statement and the recent publication of the ICO and Competition and Markets Authority (CMA) joint paper showcases the ICO’s commitment to policing compliance with cookie law and its increased appetite for enforcement. This aligns with the ICO’s 2025 strategy, particularly its commitment to protect children and vulnerable groups, notably in the gambling sector.

Inadequate cookie consent mechanisms risk non-compliance with both PECR (which regulates use of cookies) and the UK GDPR in respect of the use of personal data collected from the cookies (for example, for targeted online advertising). As evidenced by the 30-day rectification period, it appears that the ICO’s approach is to work with the companies to address the compliance issues. However, should the companies fail to rectify these breaches, they risk being liable for significant fines, which is just one tool in the ICO’s enforcement arsenal. Currently, the maximum fine under PECR is capped at £500,000 but with the looming Data Protection and Digital Information (No.2) Bill, this will increase to £17.5 million or 4% of annual worldwide turnover (whichever is higher), bringing it in line with the UK GDPR penalties. Thus, increasing the liability exposure for those in breach.

This latest development underlines the ICO’s sharper focus on tackling cookie non-compliance as a step towards achieving the safeguarding objectives outlined in its 2025 strategy. The ICO specifically called out gambling operators, stating that “gambling addicts may be targeted with betting offers based on their browsing record”. We therefore anticipate the ICO will closely monitor the gambling sector. We also understand non-gambling services accessed by children will attract particular ICO attention. The ICO’s recent statement should put all businesses on notice. There is no guarantee that future enforcement action would be prefaced with a 30-day remediation period. Considering this, we recommend businesses to: (i) review the cookies they are using; (ii) consider what information is provided to users (is it sufficiently clear?); and (iii) review how consent options are presented to users (are opt in/out choices equally prominent and accessible?). Looking towards the future, gambling operators are steadily moving towards a cookieless era because of Google’s plans to phase out third-party cookies. This transition, which is expected in the second half of 2024, is primarily driven by user privacy concerns and will cause a significant shift in the sector’s tracking practices. However, this provides the sector with an opportunity to advocate privacy and build trust with a privacy-conscious audience through making sure that new marketing methodologies and strategies align with the current (and evolving) standards and regulations, which can only be seen as positive.

Although it is now commonplace for websites to have some form of consent management platform which gives users a way to accept, reject or manage their cookie preferences: the devil is in the detail. In its cookie guidance and work with the CMA, the ICO has been particularly critical of nudge tactics, ‘confirmshaming’, biased framing, bundled consent and the use of default settings. Therefore, it is not enough to simply have a consent management platform – it needs to be configured in a manner to achieve valid consent. We will need to wait until January, when the ICO plans to provide an update on the outcome of its investigations into the top UK websites, to see if the ICO gives any further indication of specific configurations and settings which it considers to be non-compliant and to see what form of enforcement action (if any) the ICO decides to take.