The Information Commission's Office ("ICO") has recently cautioned website operators that they should anticipate the commencement of UK enforcement regarding non-compliance with cookie regulations. While new legislation is on the horizon, the ICO has been vocal about this matter in the past, but officials at a conference hosted by the ICO1 delivered a more urgent warning.
Acknowledging the situation, Deputy Commissioner for Enforcement Stephen Bonner mentioned that some non-compliant companies might be waiting for the regulator to initiate enforcement through fines as a signal to take corrective action. However, there are others who exhibit no intent to comply, and this behaviour is pushing the authorities toward taking enforcement measures.
Bonner emphasised that there have been ample warnings and sufficient clarity regarding what needs to be done. While many organisations have chosen to comply, not all have followed suit, and this is an area where the ICO intends to take action. He expressed his enthusiasm for enforcing cookie regulations, suggesting that the time for such enforcement has arrived, and now is an opportune moment for those who have not yet taken steps to comply. Companies failing to adhere to existing regulations should be prepared for potential regulatory action, as the ICO intends to actively address non-compliance.
The upcoming Data Protection and Digital Information (No 2) Bill, which proposes amendments to the UK General Data Protection regulations, could potentially lead to changes in cookie regulation. These changes might exempt websites that utilise specific tracking tools like Google Analytics from the necessity of obtaining user consent through banners. Instead, users may have the option to automate certain consent preferences within their web browsers, applying them universally rather than on a per-site basis. This legislation, previously known as the Data Reform Bill, aims to reduce what is perceived as overly burdensome regulation and is anticipated to be approved around mid-2024.
However, organisations should not interpret this impending legislation as an excuse to disregard current requirements. The Executive Director for Regulatory Risk at the Information Commissioner's Office (ICO), Stephen Almond, cautioned against this mindset, highlighting a concerning lack of compliance with the regulator's expectations. He emphasised that those assuming there will be a "Get Out of Jail Free" card regarding non-compliance with the current cookie law are mistaken. Alongside ICO Guidance, cookies are primarily governed by the Privacy and Electronic Communications Regulations ("PECR"). Non-compliance with PECR presently carries the possibility of a fine of up to £500,000. However, amendments to this legislation might raise the maximum penalty to £17.5 million or 4% of the company's global annual turnover. Whilst the fines given would need to be proportionate and reasonable, it is important for businesses to adhere to any regulatory warnings provided.
Regarding advertising cookies, Almond cautioned that there will still be distinct expectations outlined in the law, resembling the current requirements related to consent for processing personal data. Companies should continue to review the way in which they use cookies and how cookie banners are presented to ensure compliance with the law. They should also be open to the fact that the new Digital Information (No 2) Bill may require them to implement changes across their digital platforms.
Footnote
1. Data Protection Practitioners' Conference, 03 October 2023, https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/10/uk-information-commissioner-issues-preliminary-enforcement-notice-against-snap/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
