The Information Commissioner’s Office (ICO) enforces the UK GDPR and the UK cookie “law” (PECR). This means that the UK has one sole authority responsible for both data privacy and electronic communications and tracking, which is practical since cookie rules often overlap with the data privacy rules.
So what is the UK’s data protection enforcement authority up to?
The UK ICO's recent actions on cookie compliance enforcement
In late 2023, the ICO wrote to 53 of the UK’s top 100 websites. In the letter, the ICO warned the website owners that they would face enforcement actions if they refused to change how they handle advertising cookies.
The ICO pointed out that using non-compliant cookie banners is illegal.
According to ICO, their “call to action” received an “overwhelmingly positive response.” 42 of 53 website owners chose to become compliant, and “several others” were reconsidering their approach to advertising by exploring solutions based on contextual and subscription-based models.
The ICO also underlined that they could see a ripple effect of their intervention, “with many organisations making changes to cookie banners without receiving a letter” from them.
For the UK ICO cookie compliance means compliant cookie banners
In the ICO’s statement regarding this initial enforcement activity, they make it clear that website users/visitors have the right to choose whether to consent to tracking technologies. This means that people must be given a fair, informed choice.
Hence, the ICO wants to see if a website owner uses (non-essential) cookies or similar tracking technologies. If they do, there needs to be a compliant cookie banner at the very minimum. And a compliant cookie banner, among other things;
- informs the visitor in a plain, easy language what cookies the website wants to deploy
- gives the visitor a clear choice of yes or no on the first layer.
- gives the visitor the choice to withdraw consent at any time during their visit.
- go not deploy cookies before explicit opt-in consent is given.
Is it possible to get a cookie banner that complies with ICO’s requirements out of the box? Yes, it’s pretty easy. Learn more here.
If the website owners did not comply with the data protection authority’s requirements, the ICO stated that they would make their concerns about the organisation or company public. The ICO also mentioned that a penalty notice can be considered in addition to outing the organisation.
The UK ICO is leveraging AI for cookie compliance enforcement
Encouraged by the effect of their initial enforcement activity, the ICO stated that they would continue to approach websites by writing to one hundred at a time. To accelerate their efforts, they are developing an AI solution that can help them identify websites with non-compliant cookie banners.
The process of creating the look and feel of this AI solution began early in 2024 with a hackathon held under ICO’s umbrella.
The ICO is taking cookie enforcement seriously partly because of its research on the issue: The ICO explains that people are concerned about their data being used, without their consent, to target them with ads they do not wish to be associated with.
The UK ICO give examples such as gambling addicts being targeted with betting offers based on their browsing history and women being targeted with distressing baby adverts shortly after miscarriage.
Exploring AI as a tool for cookie compliance enforcement is not unique to the UK ICO. For example, the Danish enforcement authority on the subject is also developing a tool based on the French Artificial intelligence company Mistral AI. To learn more about how it works, see this webinar where two experts from Denmark’s Agency for Digital Government discuss it.
Easy for marketers to make the UK ICO happy
The guidelines and informative enforcement actions from the UK are very instructive and in line with other European enforcement authorities and the European Data Protection Board’s opinion on the issue. Add to this established compliant platform for consent management, like Cookie Information, and you have a situation where you can make your website cookie-compliant without further ado.
If you choose to run with a Consent Management Solution like Cookie Information, you also get a platform tailored to help you optimise your opt-in rates and increase trust amongst your existing and potential customers. Naturally, it also integrates natively with Google’s Consent Mode v2.
So, while the ICO states that” it makes sense to be compliant before the regulator comes knocking,” I’d like to add that it’s also very, very easy.