UK regulator demands websites let users ‘Reject All’ cookies

Britain’s data protection regulator has warned some of the country’s most visited websites that they risk being fined unless they stop coercing visitors into accepting advertising cookies.

The Information Commissioner’s Office (ICO) announced on Tuesday that the top websites in the United Kingdom had 30 days to comply with the country’s privacy laws or they would “face the consequences.”

The issue is how these websites allow people to opt-out of advertising cookies, with the ICO saying they had a legal duty to make it as easy to “Reject All” advertising cookies as to “Accept All.”

It follows France’s data protection authority, the CNIL, issuing TikTok with a €5 million (about $5.4 million) fine in January because the cookie banner on its website offered a single-click option to accept all cookies, but not a single-click option to refuse them.

Recorded Future News noted at the time that the British regulator was not applying the same standards, even though the underlying laws were identical. The ICO did not respond to questions in January about its enforcement.

Numerous popular websites in the United Kingdom — including for The Times and The Guardian — do not provide a single-click option to refuse cookies. Instead, the cookie banner on those websites redirects users to a settings page:

The ICO’s guidance on the matter was subsequently published in August, although the existing rules were already available on its site.

Stephen Almond, the watchdog’s executive director of regulatory risk, said: “We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance.

“Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation,” warned Almond.

The ICO said it will provide an update on its work to tackle offenders in January, “including details of companies that have not addressed our concerns.”

Cookie consent pop-ups have become an industry tactic to cope with the European Union’s ePrivacy Directive and its General Data Protection Regulation (GDPR), which were intended to empower the bloc’s citizens to withdraw their consent from being tracked and profiled across the web by advertisers.

Although the United Kingdom has left the European Union, the same legislation currently remains in place.

The directive requires websites to withhold all marketing cookies and trackers from users’ browsers until they have received explicit permission from those users. Sites are not allowed to pre-tick boxes or ‘consent toggles’ to make it easier to consent than to decline to cookies, although in practice this is rarely followed.

There is an exemption for “strictly necessary” or functional cookies — for instance ensuring page content loads quickly, counting visitors (without profiling them) and remembering the items that online shoppers have placed in their baskets.