Out-Law News 1 min. read

ICO warns organisations over need for ‘reject all’ cookies option


Organisations have been urged to address the risks arising where they operate with non-compliant ‘cookie banners’ following recent comments made by a senior UK regulator.

Data protection and privacy law expert Rosie Nance of Pinsent Masons said Stephen Bonner, deputy commissioner responsible for regulatory supervision at the Information Commissioner’s Office (ICO), could not have been clearer about the options organisations need to offer in the first layer of their cookie banners.

In an interview with MLex, Bonner warned that organisations that fail to give website users an immediate option to ‘reject all’ when presenting them with cookie banners risk enforcement action.

“If you don't have ‘reject all’ on your top level [cookie banner], you are breaking the law,” Bonner said, according to MLex.

Bonner said the ICO is scrutinising compliance in this area. He said the ICO would likely “move through a set of regulatory interventions” with organisations before it would issue fines, but warned that the authority would “absolutely issue fines” if organisations fail to take the issue seriously and “fix” compliance failings.

Nance said: “Setting up a cookie banner can be really tricky. Making sure all cookies are categorised and reflected correctly is not straightforward, and there are some areas where regulatory guidance may leave room for questions. However, the need for a ‘reject all’ button in the first layer isn’t one of them.”

“The ICO has been consistent in emphasising the need for a button allowing users to reject cookies alongside the button to ‘accept’. Now they are making it clear that they will pursue enforcement for organisations that don’t include it,” she said.

“This is not an area that requires investigation to spot non-compliance, meaning the risk of data subject complaints and regulatory action is high. Regulators can see at a glance whether a cookie banner includes a ‘reject all’ button. This is something that can even be monitored automatically. Max Schrems’ pressure group, noyb, has already submitted over 700 complaints to European regulators after scanning for banners without a ‘reject all’ button,” Nance said.

Cookies are small text files placed on an internet user's device. They are generated by a web page server, which is basically the computer that operates a website. The information the cookie contains is set by the server and it can be used by that server whenever the user's device interacts with the site.

Websites use cookies mainly because they save time and make the browsing experience more efficient and enjoyable. Cookies also enable websites to monitor their users' web surfing habits and profile them for marketing purposes.

UK, and EU, legislation requires website operators and other information society service providers to obtain internet users' consent to the use of cookies, other than those that are strictly necessary cookies, and to provide users with information about how to manage and delete cookies.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.