Cookies and Dark Patterns: UK ICO Warns Top Publishers of Coming Enforcement

Cookies and Dark Patterns: UK ICO Warns Top Publishers of Coming Enforcement

Disclaimer: The information and examples provided here are for informational purposes only and are not meant as legal advice. 

On 21 November 2023 the UK’s Information Commissioner’s Office (ICO) publicized that it had issued a final warning to Britain’s top websites about coming into compliance with the UK’s cookie compliance rules. 

  • On 15 November 2023, the ICO sent letters to an unknown number of the top 50 UK publishers warning that they face enforcement action.
  • The ICO feels that these websites do not give their users a fair and transparent choice over whether or not to be tracked and profiled for personalized advertising. 
  • Specific concerns revolve around the (misleading) presentation and (lack of) efficacy of cookie consent banners. 
  • The ICO is giving publishers 30 days to ensure their websites comply or face consequences ranging from public embarrassment to fines

The ICO holds responsibility for promoting and enforcing the UK’s adaptations of the European Union’s General Data Protection Regulation (UK GDPR), and ePrivacy Directive -- the UK Privacy and Electronic Communications Regulations (PECR).

Together, UK PECR and GDPR establish a legal framework for legitimizing the ubiquitous processing of UK users’ data across a complex online advertising ecosystem.  

We expect to hear from the ICO in mid-January 2024, with details of companies that have not addressed the ICO concerns.

Background

PECR, like ePD, regulates the use of cookies and similar tracking technologies, which include pixels, JavaScript tags, local storage objects, system-generated or synthetic online identifiers, and in some cases tracking URLs. (Note that "cookies" is oftentimes used as an inclusive shorthand for all of these analogous and complementary technologies.)

Website publishers are required to provide users clear information about the tracking technologies being utilized and obtain users' informed, specific and freely-given consent before data can be stored on or accessed from the browser or device.

How such consent should be requested and then manifested by users has been the subject of evolving regulatory guidance since 2009. A ‘modern’ conceptualization of how cookie consent interfaces should look and behave reached a general pan-European consensus as of 2020.

Notable milestones include: 

Youtube’s updated consent banner. Source: Google

ICO’s warnings and letters

Previous efforts by the ICO to regulate the digital marketing industry have been wide ranging, but limited to the guidance reports. There has been a conspicuous absence of any tangible enforcement threats. The ICO have now upped the ante to ensure a more transparent digital publishing ecosystem by focussing on the publishers. 

Behind the scenes, there has been a recognition that the publishers are the source and providence of the data across the ecosystem - and the best place to start to ensure transparency across the industry is to regulate the “tap.”

On 15 November 2023, the ICO sent letters to publishers operating the UK's top 100 websites, warning that they face enforcement action if they do not make the necessary changes to their cookie consent banners.

  • The ICO feels that these websites do not give their users a fair and transparent choice over whether or not to be tracked for personalized advertising. 
  • It is clear that ICO are particularly concerned about the potential risks to vulnerable groups, so any enforcement levels will probably be decided on a risk basis. 

The watchdog is giving publishers 30 days to ensure their websites comply with the law or face consequences.  It seems that these consequences will be ‘naming & shaming’ in the first instance, but with the threat of stronger enforcement penalties after that.

We expect ICO to provide further details and the names of websites that have not remediated ICO’s concerns sometime in mid-January of 2024.

Harmful design dark patterns

The ICO and CMA have been collaborating to provide a coherent approach to data protection & competition across digital publishing. The issue of fairness, transparency, meaningful control and effective choice for digital users is a strategic priority for both. 

(Read our recent article covering the UK’s ICO and CMA partnership, here.)

Although the joint Online Harms guidance highlights the risks evident today, both the authorities have signaled that as technology advances the potential risks in future become much more significant.

Of the different kinds of cookie banner dark patterns highlighted by the ICO and CMA, as well as CNIL France, they tend to do one or more of the following:

  1. Pestering. What ICO calls “nudging and sludging”, is when a cookie banner continues to follow a user around a site until the user relents and accepts. In those cases, consent cannot truly be called freely given. 
  2. Influencing. What ICO calls “biased framing” (also, ‘preferred choice’), is where button placements, text and color schemes nudge users towards accepting trackers. A common example is having a large “accept” button and a small “X” off to the side. 
  3. Undermining. What CNIL calls “inaccurate classification” (also, ‘exemption stuffing’ when malicious), is where marketing and analytics trackers are discretely reclassified as “essential” to a site’s technical operations and are therefore activated irrespective of consent.
  4. Ignoring. What ICO, CNIL and other regional regulators discuss as a below the surface problem of consent management tools that do nothing in response to user choices. ICO notes that organizations must “test and trial” their online choice designs to ensure compliance.  
Examples of preferred choice. Source: UK ICO

ICO’s compliance expectations

The ICO is asking websites to:

  1. Ensure that advertising and related tracking technologies do not activate and cookies are not stored or accessed before user consent.

    The ICO has requested that all non-essential trackers do not activate before consent is given.  In line with the pan-EU regulatory consensus, advertising related performance measurement and functionality cookies must also be placed behind consent.  It is not yet clear whether ICO will be inclined to make any nuanced distinctions in the future. Additionally, as currently written, the Data Protection and Digital Information Bill (which modifies PECR), does not offer exemptions for such tracking. 
  2. Ensure that user choices to withhold or withdraw their consent are honored in practice.

    Publishers will need to ensure that their consent management tools (CMPs) are functionally effective. In many cases this will include calibrating their global tag management tools to work in concert with the CMPs so that pixels/tags and not just cookies could be controlled based on a website visitor's actions (i.e. granting global or more granular consent) and inactions (i.e. withholding consent).
  3. Present a clear and equal ‘Reject All’ option on the first layer of the banner.

    Probably most significantly for digital publishers, designs and underlying choice architectures must ensure that it is as easy for users to “Reject All” non-essential trackers as it is to “Accept All” of them. In this light, ICO has taken up the coalesced European view that a banner’s first layer must offer equal Accept and Reject options, and not bury the Reject option in the second layer’s preference center.  This interpretation seeks to clarify ICO’s prior guidance that cookie notices must “be in an intelligible and easily accessible form, using clear and plain language” and “allow the individual to withdraw their consent at any time.”

The equality between the consent choices has already been enforced in many EU countries, and now it will be in the UK. 

Although the ‘Reject All’ button mandate can be interpreted in a few different ways, research has indicated that publishers could expect to lose up to 50% of consented traffic under the purest form of the choice. ICO is inclined to view this as the cost of doing compliant business in the UK, a business issue that may need to be re-evaluated by the CMA and their competition counterparts in the EU.

Over the coming days, many UK publishers will be searching for greater detail and ‘wiggle room’ from the ICO.  

The Association of Online Publishers (AOP) and the Internet Advertising Bureau (IAB) are expected to work alongside publishers to engage the ICO around interpretations, timings and further guidance.

In the end, it is evident that the industry is going to have to fall in line with what the ICO is mandating. The 30 day cure period for notified publishers and the mid-January timeline should therefore be taken as the only grace period being afforded industry.

  1. Audit your websites. PECR, like ePD, concerns cookies and similar tracking technologies that commonly include tracking pixels and tags. It is critical to understand which tracking technologies are authorized to collect data on your site, the kinds of personal, sensitive personal and non-personal data being transmitted, and the business reasons for such transmissions. (Remember: ICO is specifically concerned about the unlawful tracking of children and other vulnerable groups.)
  2. Review your pixel/tag/cookie classifications. Technologies must be assessed based on their expected vs actual functionality. Pixels/tags/cookies not ‘essential’ to delivering a secure and operational website must be made subject to the CMP’s gatekeeping policies. (Note: at this time there are no recognized exemptions for advertising related measurement cookies. This impacts attribution reporting for personalized and non-personalized ads.)
  3. Review UX templates. Banner layouts, instructions, buttons and color schemes may not confuse, mislead or manipulate users into consenting. While the analysis is necessarily subjective, the overarching goal is to provide users with clear and equal options. It should be as easy for users to withhold or withdraw their consent as it is to give it, (For older but nonetheless instructive examples addressing white vs dark design patterns, see the IAPP’s 2017 UX Guide to Getting Consent.)
  4. QA your CMP and tag manager updates. Consent banners that appear to be working on the front-end may not be behind the scenes. Is the banner and preference center easy to use? Are instructions and buttons clear? Are non-essential pixels/tags actually blocked by default and gatekept depending on the user’s granular choices, if any? Are data flows suppressed? Are audit logs recorded? 

For a rounded approach in the UK and European Economic Area, clients are encouraged to review the ICO’s guidance alongside the recommendations by CNIL France. The CNIL leads the EDPB’s Cookies Taskforce and is influential in shaping European ‘working law’ concerning cookies and similar technologies.

Compliant banner examples

First layer

Second layer

Conclusion

The UK ICO and CMA have signaled in no uncertain terms that their patience is wearing thin with website publishers who do not:

  • Meet the objectives of data and consumer protection where user choice and control form the legal justification for data processing, particularly if that data is personal;
  • Provide users with online interfaces and design choices that are clear, easy to use and effective; and specific to targeted advertising data use cases
  • Disable non-essential cookies until the user takes a positive action free of unfair UX-based influences or other forms of exploitation and manipulation.

The timing of ICO’s enforcement sweep and 30 day cure period for contacted websites means at least some remediation work will need to be prioritized ahead of winter holiday office closures and code freezes.

Please let us know if you are interested in discussing this development further by contacting your engagement manager or emailing us at hello@lucidprivacy.io.