Published: 18th December 2023
Area: Data & Security Transformation
The ICO has notified some of the country’s most-visited websites that they face enforcement action if they fail to make necessary changes to comply with data protection laws, which includes making it as easy for users to “reject all” advertising cookies as it is to “accept all”.
While websites can still display adverts when users “reject” all tracking, the content must not be tailored to the individual browsing.
Mike Wills, co-founder and director of strategy and policy at CSS Assure, said: “While the recent announcement by the ICO specifically focuses on well-known UK brands and websites, its intent to hold business owners accountable for the incorrect use of cookies is clear – serving as a stark reminder that data protection is not to be taken lightly.
“Harmful design practices that could undermine people’s control over their personal information – such as cookie consent banners – violate data protection laws and erode trust among consumers. More concerning, it could have a real impact on people’s wellbeing. For example, someone recovering from a gambling addiction being steered to ‘accept all’ cookies could mean they are being continually bombarded with betting adverts.
“Business owners should take this as a sage warning that this is top of the ICO’s to-do list. Should the ICO choose to investigate a business, they will not only consider cookie compliance but all elements of GDPR compliance – don’t give them the opportunity as this could lead to unintended consequences, including financial penalties and reputational damage.
“Adhering to data protection laws and adopting ethical data practices are essential for safeguarding individuals’ privacy and maintaining a healthy business ecosystem. By doing so, they can avoid hefty fines and foster a culture of trust and transparency, ultimately benefiting both their customers and their bottom line.”
The ICO has written to companies operating some of the UK’s most-visited websites, outlining concerns and providing a 30-day grace period to ensure compliance with the law. The ICO plans to provide an update in January, including details of companies that have not addressed its concerns.