UK ‘cookie law’ enforcement not dependent on complaints

Malcolm Dowden of Pinsent Masons was commenting after an information rights tribunal confirmed that the ICO is not precluded from taking enforcement action against businesses under the Privacy and Electronic Communications Regulations (PECR) in cases where no complaints have been lodged with it about the business’ practices.

In the case before it, the first-tier information rights tribunal (FTT) considered an appeal raised by Join the Triboo (JTT) against enforcement action the ICO took against it in April 2023. The ICO fined JTT £130,000 after it found it had sent unsolicited emails for direct marketing purposes, in breach of PECR rules, over a period spanning just over a year, in 2019 and 2020.

JTT’s practices came to the ICO’s attention during an investigation the ICO was undertaking into another business, Leads Work Limited (LWL). LWL identified JTT as a source of data it used for its own unsolicited direct marketing email activity. The ICO subsequently undertook an “own initiative” review of JTT’s websites and launched a separate investigation into JTT’s non-compliance with PECR.

The fact that no complaints were made to the ICO by individuals who received emails from JTT formed a core component of JTT’s appeal. The company argued, among other things, that it reinforced its argument that it was not responsible for a PECR breach since “individuals knew what they were signing up for and chose to sign up”. However, the FTT rejected the premise of that argument. It said: “The fact that no complaints were made is not, we find, relevant to the question of whether or not there has been a breach of PECR.”

The FTT confirmed, though, that the lack of complaints is relevant to the level of penalty that businesses might face if they are found to have breached PECR.

“The fact that there are no complaints, is of some relevance,” it said. “If there had been a large number of complaints we would have seen this as evidence of a very significant level of intrusion into people’s privacy, which would have been an aggravating factor. That is not present in this case.”

Dowden said the case is the latest example of the ICO opening own initiative investigations into compliance with information laws. In February, the ICO announced enforcement action against a leisure centre operator under the UK’s Data Protection Act in respect of its use of facial recognition technologies. The ICO’s investigation in that case was prompted by a referral one of its own employees made to its investigations unit after they observed the company’s use of the technology during a personal visit to a leisure centre the company operated.

“The ICO is intent on expanding its ability to proactively investigate compliance with data protection and PECR rules by harnessing the potential of artificial intelligence (AI),” Dowden said.

“In January, the ICO indicated that it is ‘developing an AI solution to help identify websites using non-compliant cookie banners’. The ICO said at the time that it planned to run a ‘hackathon’ event to explore what the AI solution might look like in practice. While its use of the AI tool at this stage therefore remains aspirational, it is clear that PECR enforcement remains a priority issue for the ICO,” he said.