On 21 November 2023, the UK Information Commissioner’s Office (“ICO”), the UK’s data protection regulator, issued a statement warning that websites face enforcement action if they do not make changes to comply with data protection laws regarding advertising cookies.
The ICO Warning
The ICO is concerned that “some websites do not give users fair choices over whether or not to be tracked for personalised advertising.” The ICO’s Executive Director of Regulatory Risk, Stephen Almond, has warned that “gambling addicts may be targeted with betting offers based on their browsing record”, noting that companies must make the necessary changes now, “or face the consequences”.
In its statement, the ICO referenced guidance issued in August 2023 (the “August Guidance”) which made clear that companies must make it as easy for users to “Reject All” advertising cookies as it is to “Accept All”. Websites are still able to display adverts when users reject all tracking, but they must not tailor these adverts to the person browsing.
The August Guidance stated that to allow users to be empowered to make effective and informed choices about the way their personal information is used in digital markets, companies need to be:
- Putting the user at the heart of design choices – building online interfaces around customers’ interests and preferences.
- Using design that empowers user choice and control - helping users to make effective and informed choices about their personal information and putting them in control of how it is used.
- Testing and trialling design choices – using design that has been tested and trialled, to ensure design choices are evidence based.
- Complying with data protection, consumer and competition law – considering the implications of these laws in a company’s design practices.
The August Guidance also warned that the ICO would be taking enforcement action to protect peoples’ data protection rights, particularly where design practices lead to risks or harms for people at risk of vulnerability if improvements are not seen. The ICO also highlighted that the Competition and Markets Authority (the “CMA”) had been clear that this is a priority area that it would continue to tackle through its consumer and competition enforcement powers.
As part of its statement, the ICO announced that it had written to a number of companies that run some of the UK’s most visited websites, setting out its concerns alongside a 30-day deadline to ensure their websites comply with the law.
The ICO is expected to provide an update on progress in January 2024, which will include details of the companies that have still not complied with its concerns. This will be part of the ICO’s ongoing work to ensure people’s rights are upheld by the online advertising industry.
The ICO has a range of enforcement powers at its disposal for companies that are not compliant. These include issuing warnings, enforcement notices, inspections, and monetary penalties. For serious infringements of the data protection principles, the ICO can issue fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
Co-authored by James Leek, trainee solicitor in the Technology & Media team.