The UK’s Information Commissioner’s Office (ICO) has warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies.
The ICO said that some are failing to give users a clear choice about whether they want to opt-in to personalized advertising, and make it just as easy to 'reject all' as to 'accept all'.
While websites can still display adverts when users reject all tracking, they must not tailor these ads to the person browsing.
Stephen Almond, ICO executive director for regulatory risk issued a warning to websites that consistently fail on cookie consent, adding that the regulator will clamp down on those who don’t comply.
"We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent,” he said.
"Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation."
Without naming names, the ICO said it has written to companies running some of the UK’s most-visited websites to voice concerns about their cookie consent policies.
The regulator has given them 30 days to ensure their websites comply with current legislation on the matter.
"Many of the biggest websites have got this right," said Almond. "We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences."
The ICO said it will provide an update on progress in January. For organizations that are still to comply, it will provide the public with details.
Cookie consent crackdown
The move follows a warning earlier this summer in which the ICO began assessing cookie consent banners. The regulator said at the time it would take action against those who don’t comply.
While the legal requirement for cookie banners derives from the GDPR, the UK's departure from the EU hasn't yet led to any change in the rules.
Companies are required to gain explicit consent from users before using marketing cookies or trackers, and the buttons used for this must make it at least as easy to deny as to consent.
In the EU, rules are similar, although there's no clear rule that 'reject all' must appear at the same time, and be as easy to choose as 'accept all'.
Discover how Telefónica Tech helps NHS Trusts meet the mandate for operational EPR systems
Different countries within the union have slightly different policies. Austria and Spain, for example, require a 'reject all' button in the first layer of the consent process while Germany does not.
"These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented," said EDPB chair Anu Talus.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.