In an interview with news agency MLex (subscription required), Deputy Commissioner Stephen Bonner announced that the Information Commissioner’s Office (ICO) is “paying attention” to how companies use cookies on websites and how they allow users to configure their settings. Companies that don’t take the law seriously and don’t take appropriate steps will – he said – be issued fines.
Subsequently, the ICO said in a comment to Mishcon de Reya, “Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines.”
The law dealing with the use of cookies is primarily the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended). This is generally abbreviated to “PECR”. It states that the only cookies (or similar technology) that can be placed on website visitors’ devices without consent are those that are “strictly necessary” for the site to operate. To place any others the website must seek the visitors’ consent. “Consent” takes its meaning here from the definition in the UK GDPR – “a freely given, specific, informed and unambiguous indication of the [person’s] wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement”.
A failure to comply with PECR can currently result in a fine of up to £500,000, but changes to the law could increase the maximum fine to £17.5m, or 4% of global annual turnover. Of course, fines must be proportionate, but, although it is unlikely that a failure to get a cookie banner right would lead to large fines, regulatory warnings should always be taken seriously.