Other Author Esther Farley, Apprentice Solicitor
The Deputy Commissioner of the UK Information Commissioner’s Office (ICO) warned in June 2023 that organisations whose top-level cookie banners do not include a “reject all” button will face an “intervention” by the ICO.
In the United Kingdom, organisations using non-essential cookies (such as analytics, performance or marketing cookies) on their website or a mobile app must ask users whether they permit the operator to use such cookies before placing the cookie on the user’s device. The ICO has emphasised that there is “no excuse” not to have a “reject all” button, and failure to provide one constitutes breaking the law. The regulator has warned that enforcement will get progressively stricter until organisations ensure their compliance.
Cookie Banner Consent Requirements
The ICO’s guidance on the use of cookies and similar technologies states that the consent request (typically collected through the implementation of a cookie banner on a website or in an app) must “be in an intelligible and easily accessible form, using clear and plain language” and “allow the individual to withdraw their consent at any time“.
The ICO guidance also confirms that the user must “take a clear and positive action to give their consent to non-essential cookies – continuing to use your website does not constitute valid consent“. Furthermore, the use of any pre-ticked boxes or “on” sliders for non-essential cookies would not meet the ICO’s requirement for a positive action.
The guidance also states that a consent mechanism that does not allow users to decide whether to accept non-essential cookies or one which emphases “Agree” or “Allow” over “Reject” or “Block” (e.g. by using a different font size or deceptive colour coding) represents a non-compliant approach.
Enforcement of Cookie Rules
After receiving several hundred complaints from NOYB regarding cookie banners, the European Data Protection Board established a Cookie Banner Taskforce to coordinate enforcement of cookie rules among EU data protection authorities. As a result, the French data protection authority, CNIL, has issued several multimillion fines for breaching the French cookie rules.
In the United Kingdom, the maximum fine for breaching cookie rules under the Privacy and Electronic Communications Regulations 2003 is currently £500,000. In the Data Protection and Digital Information Bill (No. 2), the UK Government proposed that the maximum level of fines will increase to £17.5 million or 4% of worldwide annual turnover (whichever is higher). If approved, the Bill would also broaden the list of exemptions when consent is not required in the United Kingdom before placing cookies on a user’s device (such as statistical or preferences cookies).
What are the next steps?
The ICO maintains that they will not immediately fine organisations, but rather implement increasingly stricter stages of intervention. With the gradual phase-out of the third-party cookie, website operators’ reliance on marketing cookies is also likely going to decline. However, organisations using cookies should review their cookie banners and ensure they are compliant with the applicable cookie rules including by configuring a “reject all” button in their top-level cookie banner.