Some of the UK’s most visited websites run cookie consent notifications which aren’t compliant with data protection laws, according to the Information Commissioner’s Office, the UK’s data protection authority. And the ICO says it intends to start cracking down on this behaviour, giving publishers 30 days to make changes and warning that they face enforcement action if they don’t comply.
For example under these rules, users must formally opt-in to have their data collected and processed, with informed consent over how their data will be used. And for advertising cookies, it must be equally easy for users to “reject all” as it is to “accept all”.
But some major publishers are still not compliant with these principles, despite the fact that they’ve been legally required for over five years. The ICO says it has now written to companies running some of the UK’s most visited websites and set out its concerns, giving those websites 30 days to comply with the law.
“Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent,” said Stephen Almond, the ICO’s executive director of regulatory risk. “Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation. Many of the biggest websites have got this right. We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences.”
The ICO will provide an update in January, which will include details of any companies which have not taken action.
Training wheels coming off
When GDPR first came into force, some in the industry were concerned that we’d see immediate widespread crackdowns across the industry, with non-compliant publishers and ad tech companies handed heavy fines.
But the ICO said from the off that it wanted to work with the industry, giving companies time to understand their obligations under the UK’s new data laws and to get their houses in order. The GDPR is, after all, a wide-ranging piece of legislation which affects a huge number of industries, not just media and advertising. Understanding compliance is not easy. And the ICO indicated it wasn’t looking to catch out companies which were accidentally non-compliant.
Now however, the training wheels are coming off. The ICO has hosted guidance specifically around cookie consent notifications for a long time, outlining the dos and don’ts. Despite this, many remain non-compliant.
For example, as stated above, publishers must make it equally easy for users to reject all advertising cookies as it is to accept all. This means that both options should be equally visible and accessible within a consent mechanism. But many publishers still run consent boxes where the first page lets users either ‘accept all’ or ‘customise privacy settings’ (or something along those lines). The ‘reject all’ option then becomes visible once the user has chosen to customise their settings – meaning it’s harder to ‘reject all’ than ‘accept all’.
This sort of practice is perhaps still widespread partly because there hasn’t been much in the way of enforcement against it. And thus, publishers have been reluctant to implement these measures, and likely cut down the amount of data collection they can do, when there’s no punishment for not complying. With the ICO now threatening enforcement, we’re likely to finally see significant change.