Recent enforcement action by the ICO has websites reviewing their cookie compliance.
- inform users that cookies are present and set out the specific cookies being used;
- clearly and comprehensively explain the way the cookies work and why they are used (e.g. keep users signed in to their account); and
- obtain the user's consent to store a cookie on their device.
This information must be easily accessible for users, who need to understand the potential consequences of allowing a cookie to be downloaded onto their device. This means website providers should ensure the language and level of detail are appropriate for the website's audience.
User consent should comply with the consent requirements in Section 3(10) of the Data Protection Act 2018. These are:
- websites must be able to demonstrate valid consent;
- consent to cookies must be distinguishable from consent to another matter (e.g., terms and conditions);
- consent requests must be in an easily accessible format using plain language; and
- mechanisms should be present that allow users to withdraw consent.
ICO guidance on using cookies has clarified that consent must be informed and actively given. Specifically, website providers must ensure that users fully understand that their actions will result in specific cookies being set before proceeding to the website. Consent must involve a positive action from the user, such as ticking a box, and they should be able to disable/enable non-essential cookies at any point during their site visit. It is important to note that if a user rejects non-essential cookies, businesses can still display adverts to that user, but they cannot tailor these to the person browsing (e.g., using their name). Websites do not have to obtain consent to use "essential cookies", these are cookies that are strictly necessary to enable the website to function correctly.
Despite these requirements, many websites fail to allow users to properly consent to whether cookies will be set. In the past weeks, the Information Commissioner has warned several UK websites that they will face enforcement action if they do not make changes to comply with the Regulations and data protection legislation. Specifically, the ICO targeted businesses that have made it more difficult for users to reject cookies whilst visiting their websites when compared with the users' ability to accept them. A study analysing 300 cookie consent notices found that all websites provided a one-click option to accept cookies, but only 15 websites provided a one-click deny option. The ICO has not named the businesses they contacted but has stated an update will be provided in January, which shall include the details of companies who have failed to address the ICO's concerns.
The ICO consider it an infringement of data protection law if website design choices make it harder for users to choose more "privacy-friendly" options and influence consumers to make decisions that do not reflect their privacy preferences. Although many website providers use third-party contractors to design their websites, it is ultimately the provider's responsibility to ensure that the website complies with all relevant laws, including those relating to privacy and cookies. Providers can do this by taking the time to understand the requirements placed upon them and reflecting these in their instructions to website designers.