November 27, 2023

Cookies and Dark Patterns: UK ICO Warns Top Publishers of Coming Enforcement

Published By
Ross Webster
Time
Reading Time
5 min
Chat
Chat

Summary

This assertive move by the ICO signifies that their patience is running thin with the digital marketing industry. They have tried the ‘guidance’ route without success, and now it’s time for sterner enforcement action.

Although the threat of enforcement is against all publishers, their focus in the first instance is the largest UK publishers. The secondary targets for the ICO are websites that would deal with vulnerable groups. For instance, websites aimed at children, promoting gambling or other sensitive topics will be in focus.

In any case, there is a responsibility of all publishers to ensure that they are maintaining trust and transparency with their web visitors, and falling into line with the ICO’s interpretation of the regulations (UK GDPR, PECR and UK DPA).

Recommendations

Content Ignite recommends that all publishers carry out a cookie audit on their sites to ensure that:

1. No advertising cookies being fired before consent.

2. That the Reject All function is working on the CMP.

2. That every publisher maintains a clear inventory of all cookies firing, and that there is an established regular audit.

3. That the CMP interface is fair, and free from ‘dark patterns’ deigned to drive consent. A Reject All button would now seem a requirement on the first layer.

4. This ICO action, the depreciation of the 3rd party Cookie and the introduction of Google’s privacy Sandbox in 2024 should encourage all publishers to be Investigating new privacy centric monetisation strategies. Whether it be greater contextual targeting, new ID solutions or privacy enhancing technologies.

For any related questions reach out to the Content Ignite team, we are a ‘Privacy First’ business and have in house expertise on hand to help Publishers navigate the complexities of privacy.

Background

Over the years, the ICO has engaged with the digital marketing industry publishing guidance for Adtech and Real Time Bidding (RTB) ecosystem, and the use of cookies and similar technologies.

In August 2023, the ICO published further guidance on Harmful Designs in digital marketing in partnership with the Competition and Markets Authority (CMA).

The two authorities are collaborating to provide a coherent approach to data protection & competition across digital publishing. The issue of fairness, transparency, meaningful control and effective choice for digital users is a strategic priority for both.

ICO Letters & Enforcement

Previous efforts by the ICO to regulate the digital marketing industry have been wide ranging, but limited to the guidance reports. There has been a conspicuous absence of any tangible enforcement threats.

The ICO have now upped the ante by focussing on publishers. Behind the scenes, there has been a recognition that the publishers are the source and providence of the data across the ecosystem — and the best place to start to ensure transparency across the industry is to regulate the “tap.”

On 15 November 2023, the ICO sent letters to 50 UK publishers who operate the top 100 UK websites, warning that they face enforcement action if they do not make the necessary changes to comply with data protection law.

The ICO feels that these websites do not give their users a fair and transparent choice over whether or not to be tracked for personalised advertising.

They are giving publishers 30 days to ensure their websites comply with the law or face consequences. It seems that these consequences will be ‘naming & shaming’ in the first instance, but with the threat of stronger enforcement penalties after that.

It is clear that ICO are particularly concerned about the potential risks to vulnerable groups (children etc) so any enforcement levels will probably be decided on a risk basis.

We expect to hear from the ICO in mid January 2024, with details of companies that have not addressed the ICO concerns.

The Concerns

In the simplest terms, the ICO requirements are:

1. Ensure that non-strictly necessary advertising cookies do not fire before user consent
The ICO has requested that all non essential advertising cookies do not fire before consent is given. In contrast to much of the European DPA guidance, they have not requested that functional and performance cookies are placed behind consent. This seems to be a recognition that the Data Protection and Digital Information Bill, due to become law in early 2024 will make the distinction between cookie functions and the consent needed ro process.

2. Ensure that non-strictly necessary advertising cookies do not fire, if a user withdraws consent
Publishers will need to ensure that their CMPs actually function correctly once consent has been withdrawn.

3. ‘Reject All’ on the first layer of the CMP
Probably most significantly for digital publishers, they must ensure that it is as easy for users to “Reject All” advertising cookies as it is to “Accept All.”

It is clarifying the correct interpretation of previous ICO guidance, that cookie notices must “be in an intelligible and easily accessible form, using clear and plain language” and “allow the individual to withdraw their consent at any time.”

The equality between the consent choices has already been enforced in many EU countries, and now it will be in the UK. Although the Reject All mandate can be interpreted in a few different ways, research has indicated that publishers could expect to lose up to 50% of consented traffic under the purest form of the choice.

Next steps

The week before Black Friday, in the run up to Xmas, with much of the industry looking forward to a little respite after TCF V2.2 adoption, publishers now have a busy few weeks ahead………the ICO have certainly picked their moment!

Over the next few days, many of the publishers will be searching for greater detail and ‘wiggle room’ from the ICO. The Association of Online Publishers (AOP) and the Interactive Advertising Bureau (IAB) will certainly be working alongside the publishers, to engage the ICO around interpretations, timings and further guidance.

In the end, it is evident that the industry is going to have to fall behind much of what the ICO is mandating.

Introducing the PUR model (Consent or Pay)

When the equality of Reject All & Accept All was enforced by the German and Austrian DPAs, it forced many publishers to adopt alternatives to the Reject All button to protect revenues.

The PUR model (or Consent or Pay) has been given the green light by the German and Austrian regulators, and has been adopted by many businesses in the region..

The model actively promotes the value exchange of websites to the users, by giving the choice of consenting to personalized advertising or paying a nominal fee (<$3). The model has proved successful, and has secured consent rates of over 95%.

However it is not that straightforward, as the PUR model has not been approved in all EU jurisdictions., Both the Dutch and the Belgian DPAs have raised concerns. It is unknown how the ICO will react to the model.

(For those interested in more information, the CMP Sourcepoint will be running a practical deepdive webinar on the PUR model on Tuesday 28 November 2023, 3pm-4.30pm GMT)

Content Ignite is a privacy first business and has created all of our ad products with privacy in mind. If you are having any issues with anything within the current CMP or privacy updates please contact alex@contentignite.com and the team will be happy to suggest ways in which Content Ignite can help.

Latest Articles

Latest Articles By Content Ignite

Content Ignite is excited to announce the launch of the Insights Hub within our Fusion platform

Content Ignite are very excited to announce the launch of our Insights Hub within Fusion. This fantastic new tool will enable you to slice and dice data, monitor your website performance, keep tabs on SSPs and so much more, putting the power of Fusion firmly at your fingertips!

View Article

Case Study: Enhancing Revenue through Integration of LiveRamp and Google PAIR via Content Ignite's Fusion Platform

Content Ignite’s Fusion platform has expanded its ID Solutions features even further; introducing additional providers like The Trade Desk EUID and UID2, Audigient, ID5, to its comprehensive stack, with even more in the coming weeks and months.

View Article

Content Ignite Launches Policy Centre & ID Solutions

At Content Ignite, we understand the significance of privacy and the intricacies of data protection laws, particularly within the EU. As we continue to prioritise your users privacy, we are thrilled to announce the launch of our latest innovations: the Policy Centre and ID Solutions.

View Article

Prebid Asteroid vs. Content Ignite Experiments: How They Compare

On February 19th, Prebid announced "Asteroid," a tool designed to measure the impact of identity (ID) solutions. Marketed as a unique and powerful solution, a closer look reveals it to be an minor enhancement feature that like the rest of Prebid.

View Article

Understanding The Impact Of A Drop In Traffic On Ad Revenue

Managing traffic fluctuations is a common challenge for publishers. While decreased traffic can impact revenue, understanding the relationship between traffic and monetisation helps publishers make informed decisions and implement effective strategies. This guide outlines key considerations and solutions to help minimise revenue impact during lower traffic periods.

View Article

What Should Publishers Do in Light of the ICO Consent or Pay Guidance?

Although the ICO guidance diverges somewhat from the stricter approach taken by the EDPB, offering UK publishers more flexibility in their business models. However, publishers must carefully navigate these requirements if considering the Consent or Pay model.

View Article

Impressed? Signup or reach out for your free healthcheck

We only need your email and domain to complete each healthcheck

Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. More information

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.