The issue relates to the automatic placing of cookies on a user's mobile device when accessing the ICO's website, which one complaint argued was in breach of the Privacy and Electronic Communications Regulations 2003, which sits alongside GDPR.
Article 6 of these regulations prohibits the storage of or access to information held on a user's device unless explicit consent is given, the argument being that because these cookies were used automatically, users were unable to reject their use.
In an email shared to Twitter, a spokesperson responding on behalf of the ICO's DPO said: "I acknowledge that the current cookies consent notice on our website doesn't meet the required GDPR standard."
The regulator has since confirmed this in an email to IT Pro.
Given upgrade work has largely gone unnoticed by the wider community, the admission that its policy was not compliant with GDPR has drawn the ire of industry experts that claim the watchdog is unable to follow its own advice.
A spokesperson for Civic UK confirmed to IT Pro that the planning and implementation of the tool had been left entirely to the ICO, and that the latest version would make the regulator compliant to GDPR cookie laws.
Carl Gottlieb, data protection officer for Hudl and Duolingo, told IT Pro that it was rare to see a regulator admit to its mistake, but that a lack of clear guidance on cookie laws is creating confusion across the industry.
"I believe it was in May 2018 that the ICO stated they would moving to the new version of the Civic cookie consent tool, but there has since been no evidence nor mention of this happening," said Gottlieb.
"It's unclear what infringement the ICO are admitting to here, and whether this is an official ICO stance or just one lone caseworker's opinion. It is certainly surprising to see a regulator openly apologise."
In an inspection by the European Data Protection Supervisor (EDPS) into the websites of ten major EU institutions and public bodies, it was found that seven contained data protection or privacy issues and were either non-compliant with the ePrivacy Directive or failed to follow EDPS guidelines. These included the websites for the European Data Protection Board, the body responsible for overseeing the implementation of GDPR across the EU, and the International Conference of Data Protection and Privacy Commissioners.
"At the heart of this issue is the lack of clear rules on cookie compliance," said Gottlieb. "For example, the ICO and the law firm FieldFisher both follow the EU 2012 opinion that anonymous Google Analytics does not require consent, but merely an opt-out. Potentially this opinion would be unchanged within the GDPR era."
"Unfortunately many are ignorant of this EU opinion or disagree with its merits and thus take a stricter line on compliance. We have a state of confusion amongst data protection experts which makes compliance a huge problem for anyone operating a website."
"The bigger problem is a lack of regulatory enforcement against cookie compliance breaches," added Gottlieb. "Until we see some action, website operators can continue to freely ignore the rules with no consequence."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.