The ICO (“Information Commissioners Office”) check the use of cookies on websites and how they allow web visitors to configure their settings. Sites that have non-compliant cookie banners/controls are at risk of being fined up to £500k under PECR. Whilst we don’t know of any significant fines to date, the ICO Deputy Commissioner recently said they are “paying attention” to this and that companies that don’t comply will be fined.
But is a ‘reject all’ option legally required?
Mark Gracey from Mark Gracey GDPR has looked into this for us, and the ICO have said:
Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines
Mark says this response is not surprising, given that the GDPR consent rules and the cookie rules are clear on this:
- Consent must be freely given by providing an affirmative action and it should be as easy to withdraw consent as it is to give it, and
- You need consent for all but essential cookies (eg. “essential” for running the website, not your business) and that consent should be collected before the cookies are placed, particularly for non-essential, privacy intrusive cookies
There are no specific rules about settings driven opt-outs, i.e. presenting the website user with two options: ‘accept all’ and ‘change your settings’. In fact, recent discussions with the ICO helpline, highlighted that a settings-led approach would suffice. With the ‘basic’ cookie guidance from the ICO stating:
To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.
But more detailed guidance says:
A consent mechanism that emphasises ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach, as the online service is influencing users towards the ‘accept’ option.
The ICO have rarely taken action against cookie banners, so it does feel these recent statements are a change in policy. However, the UK government have said they want to make changes in the law regarding cookies, so it seems odd for the ICO to take this stance now.
Only time will tell if we start seeing enforcement/fines, but we are seeing more cookie banners on websites that make it easier to ‘reject all’ than before.
If you want to discuss any of the above or if would like us to check your cookie policy to ensure your website is/stays compliant please get in touch on info@legaledge.co.uk. You may also want to check out our previous blog on why do I need a cookie notice.