ARTICLE
23 October 2024

ICO Reprimand Highlights Importance Of Cookie Use Consent

FH
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP

Contributor

Finnegan, Henderson, Farabow, Garrett & Dunner, LLP is a law firm dedicated to advancing ideas, discoveries, and innovations that drive businesses around the world. From offices in the United States, Europe, and Asia, Finnegan works with leading innovators to protect, advocate, and leverage their most important intellectual property (IP) assets.
In September, the Information Commissioner's Office issued a formal reprimand to Bonne Terre Ltd., trading as Sky Betting and Gaming, for unlawfully processing people's data...
United Kingdom Privacy

In September, the Information Commissioner's Office issued a formal reprimand to Bonne Terre Ltd., trading as Sky Betting and Gaming, for unlawfully processing people's data through advertising cookies without their consent in breach of the U.K. General Data Protection Regulation.

The reprimand followed an investigation into Bonne Terre's personal data processing practices concerning the use of certain cookies that were set on the browsers for individuals when they accessed its SkyBet website from Jan. 10 2023, to March 3, 2023.

This reprimand issued by the ICO emphasizes the need for companies to obtain clear and informed consent from users before deploying cookies on their websites. It serves as a significant reminder for companies to ensure their cookie policies are transparent and compliant as regulatory enforcement around data privacy in the digital sphere continues to intensify.

Background

Bonne Terre is a company operating under Flutter Entertainment PLC, providing various online betting and gaming products, including services provided through the domain name SkyBet.com.

In January 2022, Clean Up Gambling, a U.K. advocacy organization, published a report alleging that SkyBet was transferring extensive amounts of personal data to third parties without informed user consent. Following these allegations, in October 2022, the ICO launched an investigation into whether Bonne Terre was processing personal data in compliance with the Data Protection Act 2018 and the U.K. GDPR.

The investigation found that when users would first visit SkyBet, they would encounter SkyBet's consent management platform pop-up, which informed users that, "If you accept 'all cookies' you are agreeing to the storing of cookies on your device to enhance site navigation, assist with our marketing efforts, and analysis of product usage."

Users had the option to accept all cookies, which Bonne Terre treated as consent to the collection of users' personal data by third-party vendors.

MediaMath, a demand-side platform contracted by Bonne Terre, used a pixel embedded within SkyBet to facilitate the setting of approximately 40 third-party marketing cookies upon a visitor's immediate arrival to the website.

Therefore, cookies were placed on users' devices before the users set their preferences within the consent management platform, and therefore before users were able to give informed consent. This violated key provisions of the U.K. GDPR regarding lawful data processing and transparency in obtaining consent.

In particular, the ICO found Bonne Terre in breach of the following U.K. GDPR provisions:

  • Article 5(1)(a), which requires that personal data must be processed lawfully, fairly and transparently;
  • Article 6(1)(a), which sets out the legal basis for processing personal data, requiring consent from data subjects for the processing of their personal data; and
  • Article 7(1), which outlines the conditions for valid consent, requiring that consent must be freely given, specific, informed and unambiguous.

Decision to Issue a Reprimand

In making the decision to issue a reprimand, the ICO considered the circumstances as a whole. Relevant factors included the following:

  • Loss of autonomy and sense of manipulation: The ICO considered that users were deprived of the opportunity to confirm that they did not consent to the collection and disclosure of their personal data.
  • Loss of control of personal data: The ICO found that expectations of effective choice may not have been met where personal data was collected prior to users giving or refusing consent.
  • Intrusion into data subjects' lives: This included the ICO's finding that users may feel a possible sense of surveillance by way of unwanted targeted advertising where cookies were deployed on the browsers of users who chose to reject third-party tracking.
  • Steps taken to rectify the issue promptly: Bonne Terre took corrective action within 24 hours of being alerted to the issue on March 2, 2023, and fixed the problem by March 3, 2023. The ICO's technical tests later that month confirmed the issue had been resolved.
  • Contractual controls and limits: Bonne Terre highlighted its master service agreement with MediaMath, which provided for contractual controls that limited how the collected data could be used. This led to the result that MediaMath was only allowed to use the data collected for limited commercial purposes. Additionally, Bonne Terre submitted that the data shared did not reveal users' engagement with gambling, which significantly limited any potential harm arising from the infringements.
  • Safeguards for vulnerable users: Bonne Terre had mechanisms in place, including profiling tools, which would flag whether a user should be removed from targeted marketing. These flags would include, e.g., whether a user failed the verification process or if they were near their spend limit. These safeguarding mechanisms would exclude potentially high-risk users, which the ICO acknowledged when assessing the severity of the infringements.

While Bonne Terre took a number of mitigating steps, the ICO stressed that the unlawful disclosure of personal data to third parties is a matter of significant public concern, particularly where it occurs in a commercial context.

The ICO emphasized in particular the importance of lawful and fair processing of personal data in the gambling sector, which frequently has a customer base that includes vulnerable users. In light of the circumstances, the ICO issued a reprimand, rather than a monetary penalty, as an effective, proportionate and dissuasive measure.

The ICO advised Bonne Terre to continually monitor and review its cookie management practices to ensure that nonessential cookies are only deployed after valid user consent has been obtained. If Bonne Terre fails to comply with these recommendations in the future, the ICO warned that it could escalate the matter and consider further formal regulatory action.

Key Learnings

The ICO's decision to issue Bonne Terre with a reprimand provides a number of key learnings for data processing in the commercial context.

Strict Consent Requirements and Transparency

This decision underscores the importance of obtaining clear informed consent before deploying tracking technologies such as cookies. Companies must ensure users are fully informed of how their data will be collected and used, including who is collecting the data and what data is being collected.

Consent must be freely given, specific, informed and unambiguous in order to comply with the UK GDPR. The use of "preticked boxes" or activating cookies before consent is clearly obtained can constitute noncompliance.

Legal Liability as Controllers

The ICO reaffirmed that companies using third-party tracking technologies are considered data controllers, meaning they are responsible for ensuring compliance with data protection laws, even if third-party vendors are involved. This means rigorous measures must be implemented to control and monitor how and when user data is collected and shared.

Safeguards for Vulnerable Users

In sectors dealing with sensitive activities like gambling, companies must implement robust protections for vulnerable users. This includes limiting the scope of targeted marketing to users who may be vulnerable, such as those with gambling addictions or financial insecurities. The case against Bonne Terre stressed the need for profiling measures to ensure vulnerable individuals are excluded from potentially harmful targeting.

Reputation and Consumer Trust

This case brings attention to the reputational risks involved in noncompliance. Surveys cited in the reprimand show a high level of public concern about the use of personal data in online advertising. Companies must work toward building consumer trust by ensuring transparent and lawful data practices, while avoiding aggressive or manipulative tracking methods.

Ongoing Monitoring

The ICO's decision stressed the importance of ongoing monitoring of cookie deployment and data collection processes. Companies should regularly review their consent mechanisms, tracking technologies and data-sharing practices to ensure they remain compliant with data privacy regulations.

Conclusion

The ICO's reprimand of Bonne Terre highlights the ongoing regulatory focus on the use of cookies for tracking and targeted advertising, together with the need for transparency and lawful consent mechanisms, particularly when sensitive personal data is involved.

This case serves as a reminder to all online service providers of the critical importance of adhering to data protection laws and ensuring that users have control over their personal data.

The ICO's stance in the reprimand also reflects broader concerns in the U.K. about data privacy, as evidenced by public surveys cited in the decision showing that a significant majority of individuals are concerned about how their personal data is used, especially for commercial purposes. Ultimately, this decision demonstrates the importance of fairer, more transparent data practices in the digital sphere.

Originally published by Law360

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Privacy Law and Privacy Regulations

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More