ICO admits its own cookie policy is non-compliant with GDPR

The regulator responsible for data protection laws says a website upgrade will arrive next week

The organisation in charge of regulating UK data laws has confirmed it will be making changes to its cookie policy following complaints that its site was storing data without user consent.

The Information Commissioners Office has admitted that its current consent notice relating to the use of cookies on devices failed "to meet the required GDPR standard".

Advertisement - Article continues below

The issue relates to the automatic placing of cookies on a user's mobile device when accessing the ICO's website, which one complaint argued was in breach of the Privacy and Electronic Communications Regulations 2003, which sits alongside GDPR.

Article 6 of these regulations prohibits the storage of or access to information held on a user's device unless explicit consent is given, the argument being that because these cookies were used automatically, users were unable to reject their use.

In an email shared to Twitter, a spokesperson responding on behalf of the ICO's DPO said: "I acknowledge that the current cookies consent notice on our website doesn't meet the required GDPR standard."

"We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June."

The regulator has since confirmed this in an email to IT Pro.

Advertisement - Article continues below

Given upgrade work has largely gone unnoticed by the wider community, the admission that its policy was not compliant with GDPR has drawn the ire of industry experts that claim the watchdog is unable to follow its own advice.

A page explaining its approach to data gathering said the ICO relies on implied consent of users but that changes are being made to upgrade to the latest version of its Civic Cookie Tool, a tool that requires explicit consent by default, including non-necessary cookies. It's said that the latest version does offer provisions for the use of cookies on devices, but the watchdog has yet to upgrade.

A spokesperson for Civic UK confirmed to IT Pro that the planning and implementation of the tool had been left entirely to the ICO, and that the latest version would make the regulator compliant to GDPR cookie laws.

Carl Gottlieb, data protection officer for Hudl and Duolingo, told IT Pro that it was rare to see a regulator admit to its mistake, but that a lack of clear guidance on cookie laws is creating confusion across the industry.

Advertisement - Article continues below

"I believe it was in May 2018 that the ICO stated they would moving to the new version of the Civic cookie consent tool, but there has since been no evidence nor mention of this happening," said Gottlieb.

"It's unclear what infringement the ICO are admitting to here, and whether this is an official ICO stance or just one lone caseworker's opinion. It is certainly surprising to see a regulator openly apologise."

In an inspection by the European Data Protection Supervisor (EDPS) into the websites of ten major EU institutions and public bodies, it was found that seven contained data protection or privacy issues and were either non-compliant with the ePrivacy Directive or failed to follow EDPS guidelines. These included the websites for the European Data Protection Board, the body responsible for overseeing the implementation of GDPR across the EU, and the International Conference of Data Protection and Privacy Commissioners.

Advertisement - Article continues below

"At the heart of this issue is the lack of clear rules on cookie compliance," said Gottlieb. "For example, the ICO and the law firm FieldFisher both follow the EU 2012 opinion that anonymous Google Analytics does not require consent, but merely an opt-out. Potentially this opinion would be unchanged within the GDPR era."

"Unfortunately many are ignorant of this EU opinion or disagree with its merits and thus take a stricter line on compliance. We have a state of confusion amongst data protection experts which makes compliance a huge problem for anyone operating a website."

"The bigger problem is a lack of regulatory enforcement against cookie compliance breaches," added Gottlieb. "Until we see some action, website operators can continue to freely ignore the rules with no consequence."

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now
Advertisement

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021