UK: Cookie Banners Missing "Reject All" Buttons Face Investigation By The UK Information Commissioner's Office

The Deputy Commissioner of the UK Information Commissioner's Office (ICO) warned in June 2023 that organisations whose top-level cookie banners do not include a "reject all" button will face an "intervention" by the ICO.

In the United Kingdom, organisations using non-essential cookies (such as analytics, performance or marketing cookies) on their website or a mobile app must ask users whether they permit the operator to use such cookies before placing the cookie on the user's device. The ICO has emphasised that there is "no excuse" not to have a "reject all" button, and failure to provide one constitutes breaking the law. The regulator has warned that enforcement will get progressively stricter until organisations ensure their compliance.

Cookie Banner Consent Requirements

The ICO's guidance on the use of cookies and similar technologies states that the consent request (typically collected through the implementation of a cookie banner on a website or in an app) must "be in an intelligible and easily accessible form, using clear and plain language" and "allow the individual to withdraw their consent at any time".

The ICO guidance also confirms that the user must "take a clear and positive action to give their consent to non-essential cookies – continuing to use your website does not constitute valid consent". Furthermore, the use of any pre-ticked boxes or "on" sliders for non-essential cookies would not meet the ICO's requirement for a positive action.

The guidance also states that a consent mechanism that does not allow users to decide whether to accept non-essential cookies or one which emphases "Agree" or "Allow" over "Reject" or "Block" (e.g. by using a different font size or deceptive colour coding) represents a non-compliant approach.

Enforcement of Cookie Rules

After receiving several hundred complaints from NOYB regarding cookie banners, the European Data Protection Board established a Cookie Banner Taskforce to coordinate enforcement of cookie rules among EU data protection authorities. As a result, the French data protection authority, CNIL, has issued several multimillion fines for breaching the French cookie rules.

In the United Kingdom, the maximum fine for breaching cookie rules under the Privacy and Electronic Communications Regulations 2003 is currently £500,000. In the Data Protection and Digital Information Bill (No. 2), the UK Government proposed that the maximum level of fines will increase to £17.5 million or 4% of worldwide annual turnover (whichever is higher). If approved, the Bill would also broaden the list of exemptions when consent is not required in the United Kingdom before placing cookies on a user's device (such as statistical or preferences cookies).

What are the next steps?

The ICO maintains that they will not immediately fine organisations, but rather implement increasingly stricter stages of intervention. With the gradual phase-out of the third-party cookie, website operators' reliance on marketing cookies is also likely going to decline. However, organisations using cookies should review their cookie banners and ensure they are compliant with the applicable cookie rules including by configuring a "reject all" button in their top-level cookie banner.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.