ICO confirms need for ‘reject all’ button on cookie notices
Just about every website you’ll visit will ask you whether you agree to their use of cookies - small blocks of data which might be placed on your computer for a range of purposes.
However, there’s huge variety in how these notices are phrased and how much choice users have over their use.
Now, the Deputy Commissioner at the Information Commissioner’s Office (ICO) has confirmed the organisation’s stance on cookie compliance, drawing a clear line on what will and won't be permitted.
Organisations must now review their current practices to ensure they meet the standards required by UK data protection law to avoid intervention from the ICO.
The law surrounding cookies was set out 20 years ago in regulation six of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
The regulations require an organisation to:
let individuals know what cookies you will set on their device
explain what these cookies do
obtain consent from individuals to store cookies on their device
The requirement to obtain consent is subject to two exemptions, and consent is not required where cookies are set:
for the purpose of carrying out the transmission of a communication over an electronic communications network- also known as the communication exemption.
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user- also known as the strictly necessary exemption.
In an interview with MLex magazine, Deputy Commissioner, Stephen Bonner made it very clear that the ICO expects organisations to offer individuals real choice when it comes to setting cookies:
“If you don't have ‘reject all’ on your top level [cookie banner], you are breaking the law.”
Therefore, cookie notices which do not display a ‘reject all’ button and only offer users the ability to ‘accept all’ or ‘manage preferences’ will not be considered compliant.
While this is a clear warning, Bonner also commented that the ICO would be likely to “move through a set of regulatory interventions” as opposed to issuing fines. What these interventions will be, and whether this will apply to all organisations remains to be seen.
Fines for breaches of UK data protection legislation are subject to the following limits:
breaches of UK GDPR can reach up to £17.5 million or 4% of the organisation’s total annual worldwide turnover in the preceding financial year, whichever is higher.
breaches of PECR are currently limited to £500,000, however, it should be noted that the UK Data Protection and Digital Information Bill proposes to bring fines for violations of the PECR in line with UK GDPR.
In addition to fines, there is increasing public awareness surrounding individuals’ data rights and the obligations of organisations that hold their data meaning failing to protect data also risks reputational damage and complaints from data subjects.
The comments provided by the Deputy Commissioner could not be clearer. In order to be compliant with PECR, cookie banners must contain a ‘reject all button’ in order to give users real choice about what cookies are being set. Organisations should take immediate action to review their use of cookies and ensure that they offer users the ability to ‘reject all’.
As well as providing a ‘reject all button’ organisations should also use this opportunity to review their cookie policies to ensure that these also meet the requirements under PECR.
If you would like our assistance with this or any other data compliance regulations, get in touch with our data protection and information law team.
Contact Emma to discuss this further.
