In an interview with news agency MLex (subscription required), Deputy Commissioner Stephen Bonner announced that the Information Commissioner's Office (ICO) is "paying attention" to how companies use cookies on websites and how they allow users to configure their settings. Companies that don't take the law seriously and don't take appropriate steps will – he said – be issued fines.
Subsequently, the ICO said in a comment to Mishcon de Reya, "Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines.”
The law dealing with the use of cookies is primarily the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended). This is generally abbreviated to "PECR". It states that the only cookies (or similar technology) that can be placed on website visitors' devices without consent are those that are "strictly necessary" for the site to operate. To place any others the website must seek the visitors' consent. "Consent" takes its meaning here from the definition in the UK GDPR – "a freely given, specific, informed and unambiguous indication of the [person's] wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement".
A failure to comply with PECR can currently result in a fine of up to £500,000, but changes to the law could increase the maximum fine to £17.5m, or 4% of global annual turnover. Of course, fines must be proportionate, but, although it is unlikely that a failure to get a cookie banner right would lead to large fines, regulatory warnings should always be taken seriously.
The ICO already provides guidance on cookies, and indeed, its own website uses a banner. The guidance says "we have no objection to organisations seeing if [the same] option would work for them any [but] solution has to be appropriate to an organisation’s own needs". Ironically, only a few years ago the ICO had to admit that at that time its website and banner failed to comply with PECR.
Bonner suggests that failing to have a "reject all" button on a cookie banner will be a breach of PECR, and that there is "no excuse" for not having one. Although fines would not be issued immediately, and there would be "stages of intervention", he said that the ICO's position is "pretty straightforward and robust".
It is worth noting that the Data Protection and Digital Information (No.2) Bill, which is currently before Parliament, proposes to include cookies used for the purposes of website analytics within the "permitted without consent" category. The Bill also, though, is where the massive increase in the potential maximum fine is proposed.
Companies should, in order to comply with the law, but particularly in light of the ICO's regulatory warnings, review how they use cookies and how they present cookie banners. They should also keep this under review, given the likelihood that the law will be changing soon.