So, do you need to bother? Whilst we haven’t yet seen any fines for non-compliance, it’s worth knowing that the ICO, and their European equivalents, have been busy of late. They have grown bigger teeth and have been working very proactively, rather than just reacting to reported data breaches. The German internet provider 1&1 was fined £8m for poor customer security ID checks, and in October the same regulator punished a German property company with a bigger €14.5m fine for holding on to people’s personal data for longer than was necessary. Here in the UK, between July and September 2019, the ICO issued fines to 340 companies for failing to pay the mandatory data protection fee that all organisations that process personal information are required to pay.
What am I doing wrong?
With this new vigour in mind, let’s explore why most websites are in violation of the ICO’s latest guidance, and what you need to do about it.
The latest ICO guidance says that opt-in permission needs to be explicitly given BEFORE the non-essential cookies are placed, but the vast majority of websites actually place both the non-essential and essential cookies onto a user’s device as soon as they visit the page, along with a cookies message asking for consent. For a website to be compliant, the cookie permission banner should now tell you that it is placing the essential cookies and then ask you to specifically choose to accept the non-essential cookies (the ones that feed Google Analytics, etc.).
Permission needs to be granted
Strictly speaking (according to The Privacy and Electronic Communications Regulations), the reason this has changed is all to do with permissions and ownership. Installing non-essential cookies enables a website to use the end user’s computer, so permission needs to be granted by the user – it can’t just be taken. These non-essential cookies offer no real benefit to the user, but most people are nice (or lazy) and often choose to accept them anyway, which is good for us.
The message ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard either, because companies have already placed the cookies. This is the IT equivalent of asking for forgiveness rather than permission.
A warning marketers
In one corner, we have the ICO, and in the other we have the marketers, who will want to ensure that their websites are still using analytics in order to measure audience engagement, and to enable targeted remarketing to provide better revenue streams. So how do we comply with the ICO guidance? I talked to the ICO and they were pretty vague and non-committal, but they didn’t shoot down my suggestion which is that every website needs to now have a very prominent cookie permission box with two options; option one would be ‘accept all cookies’, and option two should be ‘accept only essential cookies’. The first option could be in a bright colour, whilst the second is grey to help steer the consumer to the option that you’d like them to take – as long as the options are clearly laid out, then you will be ok. This box also needs to block your website and shouldn’t be able to be bypassed by visiting another page on the site.
Only after the user has clicked to allow non-essential cookies can you place those cookies on their machine.
I’ll be keeping an eye on how the ICO takes it from here, and weather it builds on the proactivity already demonstrated in 2019. Given that we’re now at the mercy of both ICO prosecutions and potential class action prosecutions, we all need to consider our decisions very carefully.