ICO threatens to name and shame cookie consent rogues

Cookie banner displayed on a website
(Image credit: Getty Images)

The UK’s Information Commissioner’s Office (ICO) has warned it may impose harsh penalties and publicly name websites that fail to make changes to their cookie consent policies. 

The ICO said that some are failing to give users a clear choice about whether they want to opt-in to personalized advertising, and make it just as easy to 'reject all' as to 'accept all'.

While websites can still display adverts when users reject all tracking, they must not tailor these ads to the person browsing.

Stephen Almond, ICO executive director for regulatory risk issued a warning to websites that consistently fail on cookie consent, adding that the regulator will clamp down on those who don’t comply.

"We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent,” he said.

"Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation."

Without naming names, the ICO said it has written to companies running some of the UK’s most-visited websites to voice concerns about their cookie consent policies.

The regulator has given them 30 days to ensure their websites comply with current legislation on the matter.

"Many of the biggest websites have got this right," said Almond. "We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences."

The ICO said it will provide an update on progress in January. For organizations that are still to comply, it will provide the public with details.  

The move follows a warning earlier this summer in which the ICO began assessing cookie consent banners. The regulator said at the time it would take action against those who don’t comply.

While the legal requirement for cookie banners derives from the GDPR, the UK's departure from the EU hasn't yet led to any change in the rules.

Companies are required to gain explicit consent from users before using marketing cookies or trackers, and the buttons used for this must make it at least as easy to deny as to consent.

In the EU, rules are similar, although there's no clear rule that 'reject all' must appear at the same time, and be as easy to choose as 'accept all'.


A whitepaper from Telefonica Tech on how to revolutionize care with their EPR experts

(Image credit: Telefonica Tech)

Discover how Telefónica Tech helps NHS Trusts meet the mandate for operational EPR systems


Different countries within the union have slightly different policies. Austria and Spain, for example, require a 'reject all' button in the first layer of the consent process while Germany does not.

Earlier this month, the European Data Protection Board (EDPB) published new guidelines on the use of cookies, clarifying which tracking techniques are covered.

"These guidelines discuss solutions, such as tracking links and pixels, local processing, and unique identifiers, to ensure that the consent obligations set out by the article are not circumvented," said EDPB chair Anu Talus.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.