The UK's ICO says: “Top websites, check your cookie settings, or else!”

On November 21, 2023, the United Kingdom’s Information Commissioner issued a statement announcing that it had warned several of the UK’s top visited websites that they have 30 days to ensure compliance with the country’s data privacy law or face enforcement action. 

Back in August 2023, the ICO denounced harmful website design practices in a news post published on their official website, such as “overly complicated privacy controls, default settings that give less control over personal information and bundling privacy choices together in ways that push consumers to share more data than they would otherwise wish to do,” or cookie consent banners designed in such a way that users do not provide an informed consent and receive targeted ads against their wishes. 

In the joint blog post, dated August 9, 2023, Stephen Almond, ICO’s Executive Director for Regulatory Risk and Will Hayter, CMA’s Senior Director in the Digital Markets Unit, stated the following: 

A person’s online life doesn’t start or end with their visit to your website. A choice they made on a cookies policy weeks ago could still be affecting the adverts they see and content they’re exposed to today. This can have a very real impact on their wellbeing. For example, someone recovering from a gambling problem being steered to ‘accept all’ cookies could mean they are being continually bombarded with betting adverts. 

At the same time as the joint statement’s publication the ICO “clear guidance that organisations must make it as easy for users to ‘Reject All’ advertising cookies as it is to ‘Accept All’. The guidance, also available on the ICO’s website, clarified that “websites can still display adverts when users reject all tracking, but must not tailor these to the person browsing.”

Despite this, the ICO has observed that “some websites do not give users fair choices over whether or not to be tracked for personalised advertising.” In light of this, Stephen Almond, ICO Executive Director of Regulatory Risk, stated: 

We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent. [...]

Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation. [...]

Many of the biggest websites have got this right. We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences.

According to the press release, any updates on or results of this action of warning the most visited websites in the UK will be made available in January, which may include details of the companies that have failed to address the ICO’s concerns regarding their cookie settings.