The ICO (Information Commissioner’s Office) made the statement following complaints that it was storing visitors’ personal data without their consent.
What did the ICO do wrong?
The GDPR requires organisations to ask for individuals’ consent before using certain types of cookies – i.e. files that track how people interact with their website.
The requirement applies to cookies that, “when combined with unique identifiers and other information received by the servers, may be used to create profiles” and identify specific people.
This requirement is the reason so many websites now contain splash pages warning you about cookies. They ask you to click ‘okay’ to access the rest of the site, thereby gaining your consent.
However, the ICO was using implied consent for users browsing on mobile devices, which means that cookies were used automatically unless the user changed the settings.
A remarkable admission from @ICOnews – its #cookies consent process has been wrong (‘doesn’t meet the required GDPR standard’) and it’s being urgently changed. [In fact, it’s probably not been to the required standard since 2011.] #gdpr #pecr pic.twitter.com/aIFuO0kR4e
— Adam Rose (@adam_rose) 16 June 2019
In an email shared on Twitter, a spokesperson for the ICO’s data protection officer said: “I acknowledge that the current cookies consent notice on our website doesn’t meet the required GDPR standard.
ICO hasn’t followed its own advice
Yes, the GDPR has toughened the requirements for using consent, but the solution is relatively straightforward.
As the ICO’s website explains: “You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given.”
There are several theories about why the ICO has neglected its cookie consent requirements. Some blame the use of – or failure to use – Civic, a third-party tool the authority said it would be implementing to manage cookies in the run-up to the GDPR taking effect.
Others have cited a lack of clear guidance on the GDPR’s rules. However, seeing as the ICO writes the guidance and enforces the rules, this seems unlikely.
Finally, the mistake could simply be an oversight. Cookies are one of the least sensitive types of personal data, so organisations may well place it low on their list of priorities – and the longer you go without any complaints, the easier it becomes to delay implementing the necessary measures.
However, as the ICO has learned, someone will eventually notice. But rather than deny the incident or quietly implement a fix before it became public, the ICO took responsibility and said it would fix it.
In that regard at least, the ICO is practising what it preaches. The organisation has often said it will be lenient towards organisations that can prove they are working towards compliance.
This violation shows why; even when you have experts on board, it’s easy to make mistakes. What’s important is that you take the requirements seriously and commit to continual improvement.