The UK’s independent data protection watchdog has declared war on cookies.
Here’s why the once-loved sweet treat may land you in hot water (or warm milk) with the ICO.
Cookies, when not being eaten, are small files that are downloaded to your computer each time you visit a website. These files can have a number of practical uses for both website users and owners; for example, remembering that password you set on Instagram 10 years ago. However, it’s the more manipulative cookie practices that the ICO is increasingly taking issue with.
Websites need individuals’ consent before placing any cookies that are not strictly necessary for delivering the website to the user. These non-essential cookies are often used by websites to target specific advertising at users based on their browsing history. If you’ve been searching for flights to Rome and suddenly start seeing adverts for hotels in Rome, chances are the website you’re visiting has been working with an advertising network that uses cookies to track your browsing. ‘Did I really consent to that?’ I hear you ask. The answer lies at the heart of the ICO’s crackdown.
When accessing a website for the first time, you will almost always be met with a ‘cookie banner’ prompting you to accept or reject non-essential cookies – or at least, you should be. Last year, the ICO set its sights on the UK’s top 100 websites, investigating each of their cookie banner practices. According to the ICO, ‘a website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them’. Fifty-three of the top 100 websites did not meet the ICO’s cookie requirements. Warning letters were sent to all 53, giving them a month to rectify their misbehaviour or face enforcement action.
Consent is defined in Article 4(11) of the UK GDPR as:
'any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.'
Essentially, the ICO considers that if you need to jump through hoops to reject non-essential cookies, any decision to accept them is not ‘freely given’ and, therefore, does not constitute valid consent. Without consent, the lawful basis for processing your data disappears, meaning a website may be processing your data unlawfully.
Interestingly, in response to the ICO’s threats, some websites have adopted new methods of obtaining consent, namely the ‘consent or pay’ model. This model provides users with a clear-cut choice: (i) allow the website to process your data, or (ii) pay for the privilege of maintaining your privacy. There is certainly a commercial argument in favour of the model – after all, most of the time, people are free to choose whether they use a website or not. Website owners will argue that running a website costs money, and if they cannot maximize revenue through targeted advertising, they will require some other form of payment.
The ICO has recently concluded a consultation on the ‘consent or pay’ model and is currently reviewing its legality. We expect an announcement from the regulator in the near future.
With Sky Bet reprimanded for using cookies without consent this week, it is clear that the ICO’s cookie crackdown is in full swing. If you are concerned about your website’s use of cookies – or any other Data Protection or Tech matters – and would like friendly, expert advice, our team is here to help. Please get in contact with us.