Are we suffering from cookie fatigue?

An over-indulgence in Easter treats might not be the only cookie fatigue that individuals will suffer this year according to the Information Commissioners Office (ICO).

What is cookie fatigue?

It is not unusual for internet users to be flooded with various cookie pop-ups that restrict access when trying to visit online websites. As such, there are increasing concerns that individuals are clicking “I agree” to these pop-ups without really understanding what they are agreeing to.

So what is a cookie? Cookies contain a small amount of information which a provider of an online service can implant onto the terminal equipment of an individual’s device when they visit a website. When this data can be linked to a name, address or email it will amount to personal data.

What are the ICO’s comments and suggestions on tackling cookie fatigue?

Cookie fatigue can lead to a loss of control over users personal data and the ICO has suggested that individuals should be able to control their own privacy settings on website browsers, software applications and personal device settings, instead of through repeated pop-ups every time a website is visited. Not only is this suggestion already technologically possible, it is also compliant with the relevant data protection laws and can save organisations both time and costs, as well as improve overall user experience.

The ICO has made various statements regarding cookies and the rising risk of cookie fatigue;

• In 2021, the ICO called on the G7 data protection authorities to help to tackle this issue.

The ICO believes that the G7 authorities can play a major role in encouraging technology firms and standards organisation to develop privacy-oriented solutions worldwide.

• In August 2023, the ICO worked alongside the Competition and Markets Authority (CMA) to jointly publish a blog and position paper.

The paper calls for organisations to stop using harmful website design practices which can mislead users into giving more personal data than they would have intended. Examples of these harmful techniques include bundling privacy choices together in ways that push users to share more data than they would like. Both the ICO and the CMA made it clear that organisations must make it as easy for users to ‘Reject All’ advertising as it is to ‘Accept All’.

• In November 2023, the ICO warned some of the UK’s most visited websites to make cookie changes.

The ICO published a statement announcing that is has written to numerous companies to warn them of potential enforcement action if they fail to give individuals fair choices over whether or not to be tracked for personalised advertising.

The companies were given 30 days to comply. The ICO published an update in January this year stating that 38 out of the 53 organisations that were contacted have changed their cookie banners to be more complaint. The ICO announced that it will not stop here and are already planning to write to other websites and organisations that continue to ignore the law. The ICO will also run an event early this year to explore and develop an AI solution to help streamline the identification process of websites that use non-compliant cookie banners and have encouraged websites to ‘be compliant before the regulator comes knocking’.

What other developments have been made?

During the European Data Protection Board’s (EDPB) latest plenary in December 2023, the EDPB adopted a letter in response to the European Commission regarding the cookie pledge voluntary initiative.

The cookie pledge is a voluntary business pledge to simplify the management of cookies and personalised advertising choices by consumers. Alongside the draft principles, the pledge requires that once consent has been refused it should not be asked again for a year. The pledge was developed in response to, and aims to address, concerns regarding cookie fatigue.

Clarkslegal has a team of specialist privacy and data protection lawyers providing expert guidance on a range of data protection issues to achieve compliance. Please do not hesitate to contact our data protection team.