The ICO admits that its cookie policy violates the GDPR

The UK’s data protection watchdog has admitted that its website’s cookie policy breaches the requirements of the GDPR (General Data Protection Regulation).

The ICO (Information Commissioner’s Office) made the statement following complaints that it was storing visitors’ personal data without their consent.

What did the ICO do wrong?

The GDPR requires organisations to ask for individuals’ consent before using certain types of cookies ­– i.e. files that track how people interact with their website.

The requirement applies to cookies that, “when combined with unique identifiers and other information received by the servers, may be used to create profiles” and identify specific people.

This requirement is the reason so many websites now contain splash pages warning you about cookies. They ask you to click ‘okay’ to access the rest of the site, thereby gaining your consent.

However, the ICO was using implied consent for users browsing on mobile devices, which means that cookies were used automatically unless the user changed the settings.

In an email shared on Twitter, a spokesperson for the ICO’s data protection officer said: “I acknowledge that the current cookies consent notice on our website doesn’t meet the required GDPR standard.

“We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June.”

ICO hasn’t followed its own advice

In some ways, it’s unthinkable that the ICO could have committed such a blunder. Not only is it the UK’s data protection watchdog (having investigated almost 1,000 cookie complaints this year) but cookie policy requirements are one of the simpler aspects of the GDPR to meet.

Yes, the GDPR has toughened the requirements for using consent, but the solution is relatively straightforward.

As the ICO’s website explains: “You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.”

There are several theories about why the ICO has neglected its cookie consent requirements. Some blame the use ­of – or failure to use – Civic, a third-party tool the authority said it would be implementing to manage cookies in the run-up to the GDPR taking effect.

Others have cited a lack of clear guidance on the GDPR’s rules. However, seeing as the ICO writes the guidance and enforces the rules, this seems unlikely.

Finally, the mistake could simply be an oversight. Cookies are one of the least sensitive types of personal data, so organisations may well place it low on their list of priorities – and the longer you go without any complaints, the easier it becomes to delay implementing the necessary measures.

However, as the ICO has learned, someone will eventually notice. But rather than deny the incident or quietly implement a fix before it became public, the ICO took responsibility and said it would fix it.

In that regard at least, the ICO is practising what it preaches. The organisation has often said it will be lenient towards organisations that can prove they are working towards compliance.

This violation shows why; even when you have experts on board, it’s easy to make mistakes. What’s important is that you take the requirements seriously and commit to continual improvement.

Subscribe to our weekly newsletter to receive the latest cyber security news and advice >>

Weekly roundup