Cookies and Dark Patterns: UK ICO Warns Top Publishers of Coming Enforcement

Ben Spencer
Content Ignite
Published in
5 min readNov 27, 2023
UK ICO Warns Top Publishers of Coming Enforcement.
UK ICO Warns Top Publishers of Coming Enforcement

Summary

This assertive move by the ICO signifies that their patience is running thin with the digital marketing industry. They have tried the ‘guidance’ route without success, and now it’s time for sterner enforcement action.

Although the threat of enforcement is against all publishers, their focus in the first instance is the largest UK publishers. The secondary targets for the ICO are websites that would deal with vulnerable groups. For instance, websites aimed at children, promoting gambling or other sensitive topics will be in focus.

In any case, there is a responsibility of all publishers to ensure that they are maintaining trust and transparency with their web visitors, and falling into line with the ICO’s interpretation of the regulations (UK GDPR, PECR and UK DPA).

Recommendations

Content Ignite recommends that all publishers carry out a cookie audit on their sites to ensure that:

1. No advertising cookies being fired before consent.

2. That the Reject All function is working on the CMP.

2. That every publisher maintains a clear inventory of all cookies firing, and that there is an established regular audit.

3. That the CMP interface is fair, and free from ‘dark patterns’ deigned to drive consent. A Reject All button would now seem a requirement on the first layer.

4. This ICO action, the depreciation of the 3rd party Cookie and the introduction of Google’s privacy Sandbox in 2024 should encourage all publishers to be Investigating new privacy centric monetisation strategies. Whether it be greater contextual targeting, new ID solutions or privacy enhancing technologies.

For any related questions reach out to the Content Ignite team, we are a ‘Privacy First’ business and have in house expertise on hand to help Publishers navigate the complexities of privacy.

Background

Over the years, the ICO has engaged with the digital marketing industry publishing guidance for Adtech and Real Time Bidding (RTB) ecosystem, and the use of cookies and similar technologies.

In August 2023, the ICO published further guidance on Harmful Designs in digital marketing in partnership with the Competition and Markets Authority (CMA).

The two authorities are collaborating to provide a coherent approach to data protection & competition across digital publishing. The issue of fairness, transparency, meaningful control and effective choice for digital users is a strategic priority for both.

ICO Letters & Enforcement

Previous efforts by the ICO to regulate the digital marketing industry have been wide ranging, but limited to the guidance reports. There has been a conspicuous absence of any tangible enforcement threats.

The ICO have now upped the ante by focussing on publishers. Behind the scenes, there has been a recognition that the publishers are the source and providence of the data across the ecosystem — and the best place to start to ensure transparency across the industry is to regulate the “tap.”

On 15 November 2023, the ICO sent letters to 50 UK publishers who operate the top 100 UK websites, warning that they face enforcement action if they do not make the necessary changes to comply with data protection law.

The ICO feels that these websites do not give their users a fair and transparent choice over whether or not to be tracked for personalised advertising.

They are giving publishers 30 days to ensure their websites comply with the law or face consequences. It seems that these consequences will be ‘naming & shaming’ in the first instance, but with the threat of stronger enforcement penalties after that.

It is clear that ICO are particularly concerned about the potential risks to vulnerable groups (children etc) so any enforcement levels will probably be decided on a risk basis.

We expect to hear from the ICO in mid January 2024, with details of companies that have not addressed the ICO concerns.

The Concerns

In the simplest terms, the ICO requirements are:

1. Ensure that non-strictly necessary advertising cookies do not fire before user consent
The ICO has requested that all non essential advertising cookies do not fire before consent is given. In contrast to much of the European DPA guidance, they have not requested that functional and performance cookies are placed behind consent. This seems to be a recognition that the Data Protection and Digital Information Bill, due to become law in early 2024 will make the distinction between cookie functions and the consent needed ro process.

2. Ensure that non-strictly necessary advertising cookies do not fire, if a user withdraws consent
Publishers will need to ensure that their CMPs actually function correctly once consent has been withdrawn.

3. ‘Reject All’ on the first layer of the CMP
Probably most significantly for digital publishers, they must ensure that it is as easy for users to “Reject All” advertising cookies as it is to “Accept All.”

It is clarifying the correct interpretation of previous ICO guidance, that cookie notices must “be in an intelligible and easily accessible form, using clear and plain language” and “allow the individual to withdraw their consent at any time.”

The equality between the consent choices has already been enforced in many EU countries, and now it will be in the UK. Although the Reject All mandate can be interpreted in a few different ways, research has indicated that publishers could expect to lose up to 50% of consented traffic under the purest form of the choice.

Next steps

The week before Black Friday, in the run up to Xmas, with much of the industry looking forward to a little respite after TCF V2.2 adoption, publishers now have a busy few weeks ahead………the ICO have certainly picked their moment!

Over the next few days, many of the publishers will be searching for greater detail and ‘wiggle room’ from the ICO. The Association of Online Publishers (AOP) and the Interactive Advertising Bureau (IAB) will certainly be working alongside the publishers, to engage the ICO around interpretations, timings and further guidance.

In the end, it is evident that the industry is going to have to fall behind much of what the ICO is mandating.

Introducing the PUR model (Consent or Pay)

When the equality of Reject All & Accept All was enforced by the German and Austrian DPAs, it forced many publishers to adopt alternatives to the Reject All button to protect revenues.

The PUR model (or Consent or Pay) has been given the green light by the German and Austrian regulators, and has been adopted by many businesses in the region..

The model actively promotes the value exchange of websites to the users, by giving the choice of consenting to personalized advertising or paying a nominal fee (<$3). The model has proved successful, and has secured consent rates of over 95%.

However it is not that straightforward, as the PUR model has not been approved in all EU jurisdictions., Both the Dutch and the Belgian DPAs have raised concerns. It is unknown how the ICO will react to the model.

(For those interested in more information, the CMP Sourcepoint will be running a practical deepdive webinar on the PUR model on Tuesday 28 November 2023, 3pm-4.30pm GMT)

Content Ignite is a privacy first business and has created all of our ad products with privacy in mind. If you are having any issues with anything within the current CMP or privacy updates please contact alex@contentignite.com and the team will be happy to suggest ways in which Content Ignite can help.

--

--

Ben Spencer
Content Ignite

Driven to create digital technology that continues to innovate and pushes boundaries to help shape a better AdTech industry.