Cookies are small amounts of data placed on a user’s device when browsing a website. They are often intended to save time and improve a user’s experience, for example by storing log-in details, preferences, shopping baskets etc. but they can also monitor browsing habits for targeted marketing.
While essential cookies are necessary for a website to operate and do not require consent from the user browsing the site, non-essential cookies do require consent from the user given their nature and privacy implications - for example those types of cookies used to analyse browsing and to display adverts.
Article 7 GDPR provides that it needs to be “as easy to withdraw as to give consent”, and the same should be the case for non-essential cookies consent. This provision has come under greater scrutiny recently.
In 2021 the French DPA fined Google and Facebook a combined €210m for failing to make non-essential cookies as easy to reject as to accept. These were some of the highest fines ever issued by the French DPA, which took into account (i) the number of data subjects affected, (ii) the financial benefits obtained from the breach i.e. advertising revenue, and (iii) the fact that Google and Facebook must have been aware of the new recommendations on cookies.
In turn, the ICO is now scrutinising compliance in this area. The ICO has stated it will “move through a set of regulatory interventions” with businesses before dishing out fines, and has confirmed that fines will follow if the breaches are not fixed in a reasonable time. The ICO is assisted by the fact that investigation is unusually easy in the context of checking a cookie banner – just visit the website.
Taking a long-term view, cookie banners might be on their way out – the Data Protection and Digital Information (No. 2) Bill seeks to reduce the quantity of pop-ups and banners through which websites ask for users’ consent to cookies. The takeaway for now however is that failure to display a "reject all" button on cookie banners may incur the ICO’s wrath. In a recent interview with MLex, the ICO’s deputy commissioner Stephen Bonner warned “…if you don’t have 'reject all' on your top level [cookie banner], you are breaking the law.” Intense perhaps (especially given that many people simply click past cookies banners in annoyance), but neatly illustrating the challenges in this area for businesses.
If you are seeking data protection advice for your business, please get in touch with our commercial and technology team.
Charles Maurice
Daniel Fournier