Personalised advertising means the tailoring of online adverts for a specific user, so that the format, content, or related products are specifically designed to reflect the user’s historic online behavioural patterns or demographic information. This requires the use of technologies (such as cookies) placed on the user terminal, as well as the use of personal data (in the form of IP addresses associated with individuals).
In particular, Regulation 6 of the Privacy and Electronic Communications Regulations (PECR) requires consent (to the UK GPDR standard) to place any non-essential cookies on a user device.
On 15 November 2023 the Information Commissioner’s Office (ICO) wrote to some of the UK’s most visited websites stating that they face enforcement action if they do not make changes to their cookie consent mechanisms to comply with data protection law. The ICO took a sample group of the UK’s top 100 most visited websites and found that slightly over half of them were not, in their view, compliant.
The ICO took the view that websites do not give users a fair choice over whether or not they consent to be tracked by non-essential cookies for targeted advertising unless they provide a “reject all” option with equal prominence to an “accept all” option. The ICO stated that this action is part of its broader work to ensure that people’s rights are upheld by the online advertising industry.
Stephen Almond, the ICO’s Executive Director of Regulatory Risk, commented: “We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent”.
This was followed with a clear message for other companies: “Many of the biggest websites have got this right. We’re giving companies who haven’t managed that yet a clear choice: make the changes now or face the consequences.”
These statements followed the ICO’s previously published guidance on 9 August 2023 which stated that cookie consent banners are one example of a harmful design. The ICO clarified its view that in order to obtain valid consent for setting non-essential cookies (as required by PECR), a website cookie banner should make it as easy to reject cookies as it is to accept them. The ICO noted in the same guidance that it proposed to take subsequent action where “harmful design is affecting consumers”, and that it would assess the cookie banners of the most frequently used websites in the UK and take subsequent action where “harmful design is affecting consumers”.
This took the form of the 15 November letters to the “naughty list” requiring compliance before Christmas. However, having published the template letter (without names) via LinkedIn on 19 December 2023, the ICO has not yet sought to rely on any specific evidence of harm to support its approach with these websites. The ICO promised to provide an update on this work in January 2024, including details of companies that have not addressed its concerns.
Impact on content providers and the news publishing sector
To meet the requirements of a valid consent, publishers must offer users a genuine choice to either accept or reject non-essential cookies. Practically, in the ICO’s view, this involves both choices being presented to the user with equal prominence and accessibility rather than either “nudging” users towards a particular option or requiring an additional step to opt out of all cookies.
The publishing sector was still widely using consent mechanisms which required users to either accept all cookies or customise / personalise their settings via an additional layer (rather than simply clicking once to “reject all”). As the additional layer involves a further step (and more clicking) on the part of the user, it meant that the two options were not of equal prominence and, the ICO argued, encouraged the user to “accept all” cookies. The ICO is also concerned with advertising cookies being set automatically before the individual is offered a choice or served even when the individual has opted to reject such categories of cookies.
A significant amount of revenue for digital news publishers comes from advertising sales driven by the use of programmatic advertising. This often involves the use of software known as supply-side platforms (SSPs) which connect publishers to multiple ad exchanges and networks. SSPs let publishers sell “impressions” to a wider pool of potential advertisers and therefore allow the publisher to maximise its revenue by serving relevant advertising based on the user’s online behaviour.
A shift in the number of users consenting to the use of advertising cookies will likely impact the overall success of commonly used mechanisms (including programmatic advertising) by which publishers can target relevant online advertising to users (and therefore have a knock-on effect on their revenue). However, in most cases, the users will still be served with the same number of ads; publishers will argue that they will just become less relevant for the user. Moreover, rejecting “all” cookies will affect all non-essential cookies on the site: not limited to advertising, but including those which have a functional purpose for site performance or tailoring editorial content. While these cookies are not the subject of the ICO’s current investigation (and the pending Data Protection and Digital Information Bill may change the position), as it stands the law applies in the same way to all non-essential cookies.
The ICO’s approach to compliance: a change of tone
Until recently, and despite its stop-start 2019 investigation into Adtech, enforcing cookie consent compliance has not been a priority for the ICO. Whilst issuing guidance setting out their data protection concerns with the targeted advertising industry, it had not publicly taken enforcement action.
This latest direction of travel signals a change of tone: particularly if the ICO follows through on its threat of publicising details of companies who do not address its concerns in relation to cookie banners, or takes further action (eg in the form of a fine or even a “stop processing” notice requiring websites to cease activity in relation to personal data). Whilst the ICO’s focus has so far been on the top visited websites, all organisations are expected to comply with the ICO’s guidance and we expect the ICO will broaden its enforcement focus in the coming months, potentially starting with the “next” 100 most visited websites in the UK.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2024