Cracking down on cookies 2.0: Latest complaints and regulatory actions
This blog post provides an update on the latest developments in cookie complaints and regulatory enforcements following our previous blog post on the surge of cookie-related complaints and the consequential regulatory enforcement actions by data protection authorities ("DPAs") in the UK and EU.
For the purposes of this blog post, cookies and similar technologies are collectively referred to as "cookies".
ICO's efforts in enforcing cookie compliance
In an effort to enforce website cookie compliance, the ICO wrote to 53 of the UK's top 100 websites in November 2023, warning them of potential enforcement actions should they fail to change their practices regarding the use of non-essential advertising cookies without user consent. Some of the ICO's concerns highlighted in the letter included the absence of cookie banners on website, the placement of non-essential advertising cookies before obtaining user consent, and the difficulty for users to reject non-essential advertising cookies as easily as they can accept them (i.e., the lack of a "Reject All" option on the first layer of the cookie banner).
Following the ICO's letter, the ICO reported in March 2024 that there was a commendable 80% success rate among the 53 organisation, with many updating their cookie banners to ensure compliance. Others are considering different approaches, such as contextual advertising and subscription models. The ICO is expected to announce further enforcement actions against non-compliant organisations.
Ongoing cookie complaints campaigns
Since our last report, NOYB (the non-profit privacy advocacy organisation founded by Max Schrems) has, since September 2022, filed a further 15 complaints with the Belgium DPA against companies for non-compliant cookie banners on their websites. To date, two organisations have since revised their cookie banners.
Regulatory enforcement
DPAs across the EU have seemingly responded to the increase in complaints from data subjects and privacy activists by increasing regulatory enforcement action in relation to unlawful cookie practices. We have set out below a summary of the recent fines issued by DPAs across the EU:
- Betting companies:On 22 April 2024, the Croatian DPA ("AZOP") imposed fines of €15,000 and €20,000 on companies operating in the gambling and betting sector, respectively, for unlawfully processing personal data through cookies.In particular, the AZOP found that the two companies collected and processed personal data through cookies without providing them with sufficient information and without enabling the data subject to clearly give consent for different purposes.
- Yahoo!:On 29 December 2023, the French DPA ("CNIL") imposed a fine of €10 million on Yahoo! for violating French data protection laws relating to cookies.In particular, the CNIL found that Yahoo!'s website deposited approximately twenty advertising cookies on a user's device without obtaining consent, and that Yahoo! did not allow users to withdraw their consent freely while still maintaining access to their messaging service.
- NS CARDS FRANCE:On 29 December 2023, the CNIL imposed a fine of €105,000 on NS CARDS FRANCE (an online payment voucher company) for various data protection breaches. In particular, the CNIL's investigation revealed that NS CARDS FRANCES had failed to comply with the rules on cookies by depositing Google Analytics cookies (used for advertising and analytical purposes) on a user's device without consent.
What should organisations be thinking about?
In light of the above, in particular the ICO's recent efforts in enforcing website cookie compliance, organisations should assess their own website cookie banners for compliance and to take steps to address any deficiencies.
Given the significant risk of enforcement action for failure to comply, we encourage organisations to take proactive steps, including to:
- Review website cookie banners to ensure compliance with the law and the guidelines set out in our previous blog post;
- Audit the cookies used on websites and take steps to accurately classify such cookies in line with recognised guidance;
- Ensure that cookie policies are accurate, up-to-date and provide sufficient information to enable users to make informed choices relating to cookie preferences and privacy settings; and
- Keep in mind that the cookie regulations do not just apply to cookies and will apply to all similar technologies that store or gain access to information stored in a user's device, e.g., gifs and tracking pixels.
If you found this article interesting, you might be interested in our monthly data protection bulletin for which you can register here.