Is the cookie finally crumbling? ICO caution to UK websites on harmful online choice architecture
On 31 January 2024, the UK’s Information Commissioner’s Office (“ICO”) published an update on its progress working with some of the UK’s top websites to ensure they comply with data protection law. The ICO also warned other organisations they must take steps to proactively ensure their use of advertising cookies and similar technologies are compliant.
This update follows the publication of an open letter by the ICO (which can be found here), in which it wrote to the Data Protection Officers (“DPOs”) of 53 of the UK’s top 100 websites (based on active time spent by UK users) warning that they would face enforcement action if they failed to ensure their website users had fair choices over whether or not to be tracked for personalised advertising within 30 days (the “Call to Action”).
In its January update, the ICO confirmed that there has been an “overwhelmingly positive response” to the Call to Action, with 38 of the 53 organisations contacted correcting their cookie banners and a further four committing to reach compliance within a month. In addition, several others are working to develop alternative solutions, including contextual advertising (which allows advertisers to target ads based on the page, app, video, or audio content being consumed, or the context in which it is being consumed, by the user without the use of cookies) and subscription models (which encourage the user to subscribe or sign-up to receive content / advertising), and the ICO promises to provide further clarity on how these models can be implemented in compliance with data protection law (at the time of writing, we are still awaiting this update).
In the meantime, and most importantly, the key message from the ICO is:
“We will not stop with the top 100 websites. We are already planning to write to the next 100 – and the 100 after that.”
In this article, we discuss the background to the Call to Action and consider what steps companies in the gambling sector (including both operators and affiliates) can take to ensure their websites are compliant with data protection and other relevant laws.
Background to the Call to Action
In November 2023, the ICO issued a public statement confirming that in its view, some UK websites were not ensuring that it was as easy for users to ‘reject all’ advertising cookies as it was to ‘accept all’: a topic upon which the ICO had recently published guidance. See:
- joint blog from Stephen Almond, ICO’s Executive Director for Regulatory Risk and Will Hayter, the Competition and Markets Authority’s (“CMA”) Senior Director in the Digital Markets Unit: It’s time to end damaging website design practices that may harm your users; and
- the ICO’s joint position paper with the CMA: Harmful design in digital markets: How online choice architecture practices can undermine consumer choice and control over personal information,
both of which cited those recovering from gambling addiction as examples of consumers that may see unwanted advertisements for gambling, particularly if they are “steered to accept all cookies” and that this may “encourage them to gamble, in turn leading to financial loss and possible negative impact on their mental health”.
In the ICO’s November 2023 public statement, Almond further explained:
“We’ve all been surprised to see adverts online that seem designed specifically for us – an ad for a hotel when you’ve just booked a flight abroad, for instance. Our research shows that many people are concerned about companies using their personal information to target them with ads without their consent… Many of the biggest websites have got this right. We’re giving companies who haven’t managed that yet a clear choice: make the changes now, or face the consequences.”
and once again, cited the targeting of gambling addicts as an example of bad practice.
Accordingly, it seems clear that gambling advertising is a subject already firmly caught within the crosshairs of the ICO, but what exactly do gambling operators and their marketing affiliates need to do?
The Call to Action
On 19 December 2023 (four weeks after the warning was first published), the ICO decided to publish a template version of its Call to Action letter to DPOs, to enable other UK website operators to understand its concerns, and proactively take action to address potential areas of non-compliance.
In the Call to Action letter, the ICO confirmed that it had assessed the relevant website’s cookie banners against three areas of concern:
- Non-essential advertising cookies are placed before the website user has the opportunity to provide consent
This concerns instances where non-essential advertising cookies are placed either without any consent from users completely or before consent is requested. In each case, the ICO considers that this is unlikely to comply with consent requirements under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and the UK retained EU law version of the General Data Protection Regulation (“UK GDPR”) because the user’s personal data would be processed without / before they had given valid consent.
- Users can reject non-essential advertising cookies as easily as they can accept them
Some website operators display cookie banners with a button allowing users to immediately consent to all cookies (i.e. an ‘Accept All’ button that provides consent in one click), but do not incorporate a similar (i.e. equally prominent) mechanism for the user to refuse the placement of non-essential cookies as easily or in one click. The ICO’s concern is that, without such a mechanism, any consent obtained by a user clicking ‘Accept All’ on the cookie banner cannot be regarded as having been freely given, specific or informed (requirements for valid consent under the UK GDPR) in relation to each processing activity. Failure to obtain valid consent to the placement of non-essential marketing cookies and thus the processing of personal data, is unlikely to comply with PECR and UK GDPR.
- Non-essential advertising cookies are placed even if the user did not consent to such cookies
Lastly, the ICO assessed whether website operators respect the choices of their users. In the ICO’s view, placement of non-essential advertising cookies and/or processing of personal data obtained via such cookies, in circumstances where the user has previously indicated that such cookies should not be placed, is unlikely to comply with PECR and UK GDPR.
Website operators were given one month to bring their website’s cookie banner into compliance or respond to the ICO, setting out: (a) the steps they plan to take; (b) why they are unable to take those steps within one month; and (c) the expected timescale for the implementation of those steps.
The Call to Action confirmed that the ICO would conduct a further assessment of the cookie banners on the recipient’s website in one month’s time to establish whether steps had been taken to improve compliance with PECR and UK GDPR.
Online Choice Architecture
As noted above (and in the Call to Action), on 9 August 2023 the ICO published a joint position paper with the CMA, which considered how online choice architecture (“OCA”) (i.e. the way information is presented and choices are structured online) could lead to data protection, consumer and competition harms.
The OCA position paper helpfully gave examples of OCA practices that the ICO and CMA jointly considered had the potential to harm consumers and explained how such practices could breach applicable laws including PECR, UK GDPR, and UK consumer protection laws including the Consumer Rights Act 2015.
Of relevance to the Call to Action, are the examples provided by the ICO / CMA in the OCA position paper, of “harmful nudges and sludge” techniques:
- Harmful nudges (also called dark nudges): being when an organisation makes it easy or ‘nudges’ users to make inadvertent or ill-considered decisions; and
- Sludge: being when an organisation creates unnecessary or unjustified friction or ‘sludge’ making it difficult for users to get what they want or do as they wish on the website.
The ICO and the CMA are concerned that the use of such techniques could encourage consumers to make choices they would not otherwise have made and that do not align with their best interests or preferences. This may include selecting less privacy-enhancing choices when personalising their privacy settings (e.g. by accepting all cookies including non-essential advertising cookies), thus allowing the organisation to process (and / or share) their personal data in ways that a user may not have intended or, in the absence of harmful nudges and sludge, have indicated to the organisation.
In the ICO’s view, use of these techniques is:
- likely to infringe on Article 5(1)(a) of the UK GDPR, which requires that personal data is “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”; and
- in turn, likely to breach Regulation 6 of PECR, which requires that users are: (a) provided with clear and comprehensive information about the purpose of cookies and; (b) given the opportunity to refuse them. In the ICO’s view, this means being given the opportunity to refuse non-essential cookies with the same ease as they can be accepted (e.g. by providing a ‘Reject All’ option as well (and as equally prominently) as an ‘Accept All’).
The CMA is additionally concerned that harmful nudges and sludge may confer a competitive advantage to certain large platforms; and inhibit entry and expansion by smaller businesses.
Next steps
The ICO has stated that it will continue to “steadily” work through its list of UK websites and advises all organisations to take action to become compliant now.
We therefore strongly recommend that DPOs of those in the gambling industry review their organisation’s mechanisms for obtaining consent to personalised advertising, including consents obtained via cookie banners, proactively to ensure these comply with data protection, consumer and competition laws. This applies to gambling operators and affiliates alike; not least because:
- Gambling Commission licensees
Gambling Commission licenses are required by social responsibility code 5.1.6 of the Licence Conditions and Codes of Practice (“LCCP”) to ensure that all marketing of gambling products and services is undertaken in a socially responsible manner.
Failure to obtain valid consent to the processing of personal data, particularly that used for marketing, may therefore be considered a breach of the LCCP and lead to enforcement action by the Gambling Commission.
It is also worth noting that any enforcement action taken by the ICO / CMA against such companies would likely also attract the interest of the Gambling Commission; and
- Marketing affiliates
Even though affiliates are not themselves regulated by the Gambling Commission, the licensed operators with whom they do business are, and accordingly:
-
- will be held responsible under social responsibility code 1.1.2 of the LCCP for the actions of third parties (such as affiliates) relating to the provision of marketing of licensed gambling; and
- are required to ensure their contracts enable them to terminate if, in their reasonable opinion, the third party is in breach of contract or has otherwise acted in a manner that is inconsistent with the licensing objectives.
Any enforcement action against affiliates by the ICO / CMA could therefore jeopardize affiliates’ relationships and potentially lead to the termination of their contracts with licensed British gambling operators.
In addition to reviewing cookie consent practices, we also suggest that DPOs consider whether any of the other examples of harmful OCA in the ICO / CMA position paper, including ‘confirm shaming’, ‘biased framing’, ‘bundled consent’ and ‘default settings‘, are being used by their organisation. It is likely that future ICO / CMA enforcement action will centre on such techniques and, in the case of bundled consent, this is already subject to a recently closed Gambling Commission consultation. For further discussion, please see our recent blog: White Paper Series: Direct marketing and cross-selling in the crossfire.
For the meantime we, along with the industry, await to see whether formal ICO enforcement action will be taken against any bad actors. It will also be very interesting to hear the ICO’s views on contextual advertising and subscription models – we will write a further blog if we consider these of key relevance to the gambling sector.
Please get in touch with us if you have any questions regarding harmful OCA, data privacy and / or consumer protection compliance for gambling businesses, or if you require any other assistance.
With thanks to Chris Biggs for his co-authorship.