ICO gives top websites 30 days to change cookie banners or risk fines

The Information Commissioner’s Office (ICO) has issued a warning to some of the biggest websites in the UK that their cookie banner practices are not compliant with the GDPR and PECR.

More significantly, they’ve sent written notifications to the offending companies, giving them 30 days to comply or face fines.

Many have questioned the ICO’s enforcement track record, so this may well be the ICO both making a statement and taking action against the bigger companies that continue to find themselves on the wrong side of the law.

What’s wrong with the cookie banners?

The ICO research has found that some of the UK’s most visited websites are implementing incorrect cookie banners, in particular highlighting the importance of clearly defined “Reject All” and “Accept All” cookies.

They do not give consumers fair choices over whether or not to be tracked for personalized advertising. They are making it hard for people to say no to cookies, or they are not telling you what cookies they use and why.

The ICO has now written to these websites and told them what they need to do to comply with the law. They have given them 30 days to make the changes, or they will face enforcement action.

Stephen Almond, who works for the ICO, said:

“We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent.

“Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation.

“Many of the biggest websites have got this right. We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences.”

What’s the potential fine?

Fines for GDPR non-compliance varies can reach up to 20 million euros, or 4% of the worldwide annual revenue, whichever is higher.

There is also substantial reputational risk to consider as well as financial.

The user experience when someone visits your website is crucial to engagement and conversion, with our own research finding that people are more likely to opt in when given the full picture of how their data is being used.

What happens next?

The ICO has not named and shamed the businesses at fault – yet.

Their warning states that they will give the companies 30 days to ensure their websites are compliant from 21 November 2023.

In January, they’ll provide an update, including the names of companies that have failed to meet the requirements.

With the likes of BBC picking this up and highlighting the risks and concerns of consumers, there’s never been a better time to make sure your cookie banner is compliant and builds trust.

If your website or app uses these tricks to get cookie consent, you might be violating the PECR, ePrivacy Directive and GDPR.

And more importantly, you’re likely to be causing your users considerable annoyance.

Most common issues of poorly designed, non-compliant cookie banners

You’ve likely been on a website where the cookie banner has failed to meet GDPR expectations. You’ve been unable to click off from it until you accept, there’s no reject button, even something seemingly small such as the colors highlighting the accept button over the reject.

There are plenty of ways that businesses fail to comply – we’ve listed a few of the most common issues of non-compliant cookie banners below:

Generic cookie consent – no reject button

“Accept All” banners offer quick interaction but may not align with compliance needs for informed consent. This approach risks collecting unnecessary data and neglects the principle of data minimization.

Pre-ticked opt-ins

Websites using pre-selected cookie preferences simplify access for users but risk users unintentionally agreeing to settings. This conflicts with data protection principles by not ensuring explicit consent.

Dismissible banners

These banners aim for a less intrusive experience, allowing easy dismissal for user interaction. However, their brevity might lack clarity on cookie types, impacting transparency and user preference management.

Dark patterns

Banners that subtly coerce users into a specific action are referred to as ‘dark patterns’ – usually encouraging users to opt in through things like button placement, color or emphasis.