November 27, 2023

Cookies and Dark Patterns: UK ICO Warns Top Publishers of Coming Enforcement

Published By
Ross Webster
Time
Reading Time
5 min
Chat
Chat

Summary

This assertive move by the ICO signifies that their patience is running thin with the digital marketing industry. They have tried the ‘guidance’ route without success, and now it’s time for sterner enforcement action.

Although the threat of enforcement is against all publishers, their focus in the first instance is the largest UK publishers. The secondary targets for the ICO are websites that would deal with vulnerable groups. For instance, websites aimed at children, promoting gambling or other sensitive topics will be in focus.

In any case, there is a responsibility of all publishers to ensure that they are maintaining trust and transparency with their web visitors, and falling into line with the ICO’s interpretation of the regulations (UK GDPR, PECR and UK DPA).

Recommendations

Content Ignite recommends that all publishers carry out a cookie audit on their sites to ensure that:

1. No advertising cookies being fired before consent.

2. That the Reject All function is working on the CMP.

2. That every publisher maintains a clear inventory of all cookies firing, and that there is an established regular audit.

3. That the CMP interface is fair, and free from ‘dark patterns’ deigned to drive consent. A Reject All button would now seem a requirement on the first layer.

4. This ICO action, the depreciation of the 3rd party Cookie and the introduction of Google’s privacy Sandbox in 2024 should encourage all publishers to be Investigating new privacy centric monetisation strategies. Whether it be greater contextual targeting, new ID solutions or privacy enhancing technologies.

For any related questions reach out to the Content Ignite team, we are a ‘Privacy First’ business and have in house expertise on hand to help Publishers navigate the complexities of privacy.

Background

Over the years, the ICO has engaged with the digital marketing industry publishing guidance for Adtech and Real Time Bidding (RTB) ecosystem, and the use of cookies and similar technologies.

In August 2023, the ICO published further guidance on Harmful Designs in digital marketing in partnership with the Competition and Markets Authority (CMA).

The two authorities are collaborating to provide a coherent approach to data protection & competition across digital publishing. The issue of fairness, transparency, meaningful control and effective choice for digital users is a strategic priority for both.

ICO Letters & Enforcement

Previous efforts by the ICO to regulate the digital marketing industry have been wide ranging, but limited to the guidance reports. There has been a conspicuous absence of any tangible enforcement threats.

The ICO have now upped the ante by focussing on publishers. Behind the scenes, there has been a recognition that the publishers are the source and providence of the data across the ecosystem — and the best place to start to ensure transparency across the industry is to regulate the “tap.”

On 15 November 2023, the ICO sent letters to 50 UK publishers who operate the top 100 UK websites, warning that they face enforcement action if they do not make the necessary changes to comply with data protection law.

The ICO feels that these websites do not give their users a fair and transparent choice over whether or not to be tracked for personalised advertising.

They are giving publishers 30 days to ensure their websites comply with the law or face consequences. It seems that these consequences will be ‘naming & shaming’ in the first instance, but with the threat of stronger enforcement penalties after that.

It is clear that ICO are particularly concerned about the potential risks to vulnerable groups (children etc) so any enforcement levels will probably be decided on a risk basis.

We expect to hear from the ICO in mid January 2024, with details of companies that have not addressed the ICO concerns.

The Concerns

In the simplest terms, the ICO requirements are:

1. Ensure that non-strictly necessary advertising cookies do not fire before user consent
The ICO has requested that all non essential advertising cookies do not fire before consent is given. In contrast to much of the European DPA guidance, they have not requested that functional and performance cookies are placed behind consent. This seems to be a recognition that the Data Protection and Digital Information Bill, due to become law in early 2024 will make the distinction between cookie functions and the consent needed ro process.

2. Ensure that non-strictly necessary advertising cookies do not fire, if a user withdraws consent
Publishers will need to ensure that their CMPs actually function correctly once consent has been withdrawn.

3. ‘Reject All’ on the first layer of the CMP
Probably most significantly for digital publishers, they must ensure that it is as easy for users to “Reject All” advertising cookies as it is to “Accept All.”

It is clarifying the correct interpretation of previous ICO guidance, that cookie notices must “be in an intelligible and easily accessible form, using clear and plain language” and “allow the individual to withdraw their consent at any time.”

The equality between the consent choices has already been enforced in many EU countries, and now it will be in the UK. Although the Reject All mandate can be interpreted in a few different ways, research has indicated that publishers could expect to lose up to 50% of consented traffic under the purest form of the choice.

Next steps

The week before Black Friday, in the run up to Xmas, with much of the industry looking forward to a little respite after TCF V2.2 adoption, publishers now have a busy few weeks ahead………the ICO have certainly picked their moment!

Over the next few days, many of the publishers will be searching for greater detail and ‘wiggle room’ from the ICO. The Association of Online Publishers (AOP) and the Interactive Advertising Bureau (IAB) will certainly be working alongside the publishers, to engage the ICO around interpretations, timings and further guidance.

In the end, it is evident that the industry is going to have to fall behind much of what the ICO is mandating.

Introducing the PUR model (Consent or Pay)

When the equality of Reject All & Accept All was enforced by the German and Austrian DPAs, it forced many publishers to adopt alternatives to the Reject All button to protect revenues.

The PUR model (or Consent or Pay) has been given the green light by the German and Austrian regulators, and has been adopted by many businesses in the region..

The model actively promotes the value exchange of websites to the users, by giving the choice of consenting to personalized advertising or paying a nominal fee (<$3). The model has proved successful, and has secured consent rates of over 95%.

However it is not that straightforward, as the PUR model has not been approved in all EU jurisdictions., Both the Dutch and the Belgian DPAs have raised concerns. It is unknown how the ICO will react to the model.

(For those interested in more information, the CMP Sourcepoint will be running a practical deepdive webinar on the PUR model on Tuesday 28 November 2023, 3pm-4.30pm GMT)

Content Ignite is a privacy first business and has created all of our ad products with privacy in mind. If you are having any issues with anything within the current CMP or privacy updates please contact alex@contentignite.com and the team will be happy to suggest ways in which Content Ignite can help.

Latest Articles

Latest Articles By Content Ignite

Optimising Website Ad Performance Using Content Ignite’s Experiment Technology

Content Ignite’s advanced experiment technology now offers a powerful platform for publishers to test, refine, and perfect their ad revenue strategies

View Article

Boosting Publisher Revenue: The Role of Demand Path Optimisation (DPO) and Split Testing

As no clear path or definitive solutions have emerged, it is vital that publishers explore new areas, test new partners and experiment with new technologies to maintain their revenue streams.

View Article

DPO vs SPO - What’s the difference?

Demand Path Optimisation (DPO) and Supply Path Optimisation (SPO) are two strategies in digital advertising, specifically in the programmatic ecosystem, aimed at improving the efficiency and transparency of the ad supply chain. Both focus on optimising different parts of the ad transaction process, but from different perspectives.

View Article

Mastering Ads.txt File Optimisation with Content Ignites Insight Tool

A guide of wow to improve your Ads.txt file and 5-step overview of understanding our Ads.txt Insights tool

View Article

Google's Privacy Sandbox Delay: What's next?

Google still plans to roll out Sandbox in a gradual manner, and will provide advance notice on how this will work. It looks likely that the ramp up will begin in early 2025.

View Article

Google's Plan to Deprecate Third-Party Cookies Delayed Once Again

Google has decided to postpone the deprecation of third-party cookies beyond the initially planned date of Q4 2024. The search giant has cited regulators as the reason, with the Competition and Markets Authority (CMA) needing "sufficient time to review all evidence, including results from industry tests."

View Article

Impressed? Signup or reach out for your free healthcheck

We only need your email and domain to complete each healthcheck

Preferences

Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website. More information

Accept all cookies

These items are required to enable basic website functionality.

Always active

These items are used to deliver advertising that is more relevant to you and your interests.

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features.

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.