It might be expected that a joint announcement in the depths of August from the ‘UK's independent body set up to uphold information rights’ and the UK Government authority ‘set up to make markets work well for consumers, businesses and the economy’ might fly under the radar.
And so it was with the recent announcement from the Information Commissioner's Office (ICO) and the Competition and Markets Authority (CMA) on the “Harmful design in digital markets: How Online Choice Architecture practices can undermine consumer choice and control over personal information.”
While most of the UK digital advertising industry was away for their summer break, much of the commentary was limited to social media sniping at the organizations’ own failure to live up to their own privacy design standards.
Five years hence
Since 2018, both the ICO and the CMA have been warning about the dangers of manipulative website design practices and the lack of transparency in the digital ecosystem that attempts to pull the wool over consumers' eyes. This new announcement continues to call on businesses to “stop using harmful design practices that could undermine people’s control over their personal information and lead to worse consumer and competition outcomes”.
The CMA is understandably more interested in the competition aspect of fair practices such as truth-in-advertising, and has already prosecuted some businesses for underhand subscription ‘traps’ or misleading ‘deal’ claims that have slanted the competitive playing field.
The ICO's interest is more focused, however, keen on ensuring that user consent interfaces are fair, clear and accurate. In particular, the blog makes clear that to avoid “distort[ing] users choices…a website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them”.
No real surprise here as GDPR Article 7(3) is pretty clear on the issue, “The data subject shall have the right to withdraw his or her consent at any time……It shall be as easy to withdraw as to give consent.” This has not changed in the UK GDPR, yet.
Most EU countries have already established positions on "Reject All" buttons and balanced design agreeing that that consent mechanism that emphasizes ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach, as the online service is influencing users towards the ‘accept’ option.
Back in 2020, the Spanish DPA (AEPD) proposed different options for consent buttons or links, but emphasized they all must be given equal weight.
In 2021, French CNIL began enforcing updated guidelines on cookie compliance, giving poor design more attention.
Early in 2023, the CNIL-led Cookies Task Force noted that poor UX continues to be a problem.
In 2022, German supervisory authorities (DSK) approved Google offering a ‘Reject All’ cookie button within its products. This was in tandem with the DSK’s New Cookie Guidance.
This mandate will not be without pain for UK publishers.
According to Sourcepoint, the privacy software company, “some UK sites have already started testing the impact of adding a “Reject All” button. Based on these tests, websites can expect to see a “Reject All” rate of between 15-30%”
The ICO’s previously stated priority in this area, as laid out in their ICO25 paper, has been on the adtech industry to get their house in order when it comes to transparency, fairness and correct legal basis to process an individual’s data in the digital market, and in particular within Real Time Bidding (RTB). Since 2018, the ICO has called for industry input multiple times, produced reports, published updates to reports, complained about the complexity of the issue and ultimately done absolutely nothing.
So is this new initiative any different?
Whether another paper tiger or a genuine danger, there is a threat of enforcement action against bad actors. “If we don’t see improvements, the ICO will be taking enforcement action to protect people's data protection rights, particularly where design practices lead to risks or harms for people at risk of vulnerability.”
Many European Data Protection Authorities have already made publishers the target of their investigations. French publishers have received threatening letters, search warrants and had fines levied. Last year, Le Figaro was fined €50,000 after its website was discovered to be installing third-party advertising cookies without the users’ consent.
The ICO might now have finally understood that the easiest way to gain some sort of control of the RTB system is to focus on the fountainhead - the publishers. Rather than trying to marshall the diverse and complex RTB ecosystem, get the sources to take better care of their data. There is much work to do, but by getting publishers to actually care about how the data is collected, recorded, stored and distributed is, finally, a start.
As far as next steps, I would imagine the IAB UK will be stepping in on behalf of publishers to try and find a middleground with the ICO. In Germany, the IAB EU and German publishers collaborated with regional German DPAs to create an acceptable substitute, which involved presenting a 'Consent or Pay' notification. This notification offers users the option to either view the website with advertisements while granting consent or pay a subscription fee to access content ad-free. As of today, Sourcepoint estimates that more than 80% of news websites in Germany have implemented the Consent or Pay approach.
Without doubt, if the ICO does act against publishers they will go for the big names. There is the rumor of a list of high profile targets (top 100 UK publishers) already drawn up. Large UK publishers would be crazy not to double-check their setups. The ICO has been inconsistent and ineffective at best, but the way that some publishers have willfully chosen or haphazardly ignored both the letter and the spirit of the regulation would make them lambs to the slaughter.
They can’t say they haven’t been warned.