A controller sent me a marketing email after I signed up for a free trial, but did not give me a choice about this when I signed up. Their cookie banner was also not user-friendly, with no Reject All button available on the first layer. After the controller essentially ignored my complaints, the ICO eventually upheld my complaints and told the controller to add a Reject All button (see their full outcome below). Is the ICO finally doing something about non-compliance with the cookie consent rules?
The UK branch of this well-known, internationally operating controller (let’s call them X again) operates a website that enables people to sign up for a free trial of their service. After providing X with your details and payment information, you can use their service for free for a limited period of time. After this, your payment method will be automatically charged if you don’t cancel. Interestingly, this is a pattern that will be targeted by the new Digital Markets, Competition and Consumers Bill, which will require companies to warn users before their free trial is converted into a paid membership and give them an easy option to cancel.
I signed up for X’s free trial. As part of X’s signup process, no information was provided about the use of my data for sending me direct marketing communications. Furthermore, no opportunity to object to marketing emails was provided on X’s signup page. Despite this, a few days later, an annoying spam marketing email landed in my inbox trying to get me to purchase further products from X. I wasn’t pleased and needed to verify whether or not the email actually originated from X, as I was not expecting any such emails based on their privacy information.
As such, I contacted X’s customer support who helpfully confirmed: ‘When you sign up for the membership, marketing emails are automatically opted in for the customers so that they can get to know deals and offers’. Well, that certainly clarified why I received their marketing email – and that they had no lawful basis for sending it.
Additionally, X’s cookie ‘consent’ mechanism had become a substantial annoyance. The first layer only offered users the chance to Accept All or Customise, with no option to immediately reject all cookies being present. After clicking Customise, a second popup opened which took some time to load properly. This popup contained a slider mechanism for selecting the cookie categories and a plethora of text. After confirming their choice, users then had to wait an additional time for the choices to be processed and then make another confirmation button click for the popup to disappear. In summary – 1 click and an instant result to accept – 3 clicks and many unnecessary delays to reject. This is ridiculous and unacceptable, particularly in the context that the cookie banner can reappear and requires users to enter their choices again when using a new device.
On that particular occasion, I had clicked the Customise button again, but the second popup was loading for a while. I had grown frustrated with waiting so closed the second popup, after which the first banner appeared again. I was then forced to click the Accept All button to get rid of it. Clearly, this would not constitute valid consent as it was not freely given: there was no immediate, equivalent reject option present on the first banner; further and alternatively, the second popup was not working properly.
The Complaint
I sent X a data protection complaint and letter of claim in respect of their marketing email and cookie practices. I explained that the marketing email was sent in breach of Regulation 22 of PECR, because X had not obtained my consent. Additionally, X did not offer me an opportunity to refuse marketing emails when they collected my details, so they couldn’t rely on the soft opt-in either. This further meant that X had processed my data unfairly and unlawfully by sending me the marketing email, contrary to Article 5(1)(a) of the UK GDPR.
In respect of X’s cookies practices, I explained that the consent provisions and the ICO guidance require it to be as easy to refuse/withdraw consent as it is to give: in other words, if an Accept All button is present that produces an instant result, there should be an equivalent Reject All button. If this is not the case and it is harder to refuse than it is to give consent, then any consent will not be ‘freely given’ and therefore be invalid. Recital 42 of the UK GDPR states: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” Any additional clicks, waiting time, or interaction required to refuse consent clearly constitutes detriment.
For this reason, I was of the view X had contravened Regulation 6 of PECR by failing to obtain my consent before placing unnecessary cookies on my device. Because these cookies contained unique identifiers and were used by X and a variety of opaque third parties for tracking and profiling purposes, I was also of the view that X had contravened Article 5(1)(a) of the UK GDPR by unfairly and unlawfully processing my data.
I explained that Article 82 of the UK GDPR and Regulation 30 of PECR provide that controllers are liable to pay compensation for any damage their breaches of that legislation cause. This also includes non-material damage, such as distress, annoyance and frustration. It is this that has proven most useful when complaining to organisations, because individuals have the right to take their case to court themselves and seek proper redress. This usually has a far greater effect than complaining to the mostly toothless ICO, which has amazingly failed to issue a single fine or enforcement notice following a complaint by a data subject in the past year.
X’s customer support team replied to my complaint email within the hour, saying that X “is compliant with the General Data Protection Regulation (GDPR)”. In retrospect, it was a sign of what was to come. After more emails and attempts at contact, the most I had gotten out of X was that a case had been created and a full response would be provided. No full response was provided despite multiple attempts at obtaining one. After over a month, I then submitted a formal complaint to the ICO.
X’s response
In fairness to the ICO, their data protection complaint response times seem to have drastically improved. It took just over a month for my initial complaint to be picked up by an ICO case officer. During most of the complaints process, the case officer responded to me on the same or the next working day. This is much better than the ICO’s historic waiting times, where it would usually take 3 to 6 months for a case officer to respond to a complaint and 14 days for responses after allocation.
The ICO sent three emails to X asking for a response, but X still hadn’t provided a proper response weeks after the ICO first emailed them. It was at this point that the ICO made explicit that they would consider taking formal enforcement action if no response was received within 7 days. As if by magic, X then provided a response!
X stated that the marketing email was sent to me under the ‘soft opt-in’, suggesting this was why I had not “expected” the email. They also emphasised how “easy” it was for me to unsubscribe and referred to the ICO’s guidance on the soft opt-in.
If you’ve been paying attention, you’ll have immediately seen how ridiculous this response was. Clearly, one of the requirements of the soft opt-in is that the user is provided with an easy way to refuse direct marketing emails at the time the user provides their data (rather ironically, this was made clear on the ICO guidance page that X had included a link to). Additionally, the soft opt-in doesn’t disapply the transparency obligations under the UK GDPR, so X would still have had to make clear that my data would be used to send me marketing emails. If I hadn’t “expected” the email, this means X should have done more to make their use of my data clearer to me.
Additionally, X had stated it was “easy” for me to unsubscribe. But why should I have to unsubscribe when I never subscribed to their marketing in the first place? Many organisations include abusive unsubscribe links in their emails that either track users or indicate the email address is in use. It is clear to see that X’s argument was totally without merit.
Unfortunately, X’s response did not address their cookie practices, so the ICO told them to send me a further response about this. And so X did: their cookie preference mechanism had apparently been “designed to allow users to easily customize their consent”. But X had conveniently made it significantly harder for users to reject their consent than to accept. X then stated: “Although PECR requires that we obtain consent, it does not expressly require that a ‘Reject All’ button be included at the first stage of doing so.” So much for allowing users to “easily customize their consent” then!
Although X is correct that PECR does not literally state that a Reject All button must be present on the first layer, it is clear that this is the effect of the wider data protection legislation if an Accept All button is present. PECR’s consent requirement corresponds to the data subject’s consent as provided in the UK GDPR. This means that the consent must be freely given: users must have a free choice and be able to refuse consent without detriment. Additionally, Article 7(1) of the UK GDPR says it must be as easy to withdraw consent as to give – by extension, it must be as easy to refuse consent as to give. It is clear that 1 click to immediately Accept All is far easier than 3 clicks and additional waiting time to Reject All. The additional clicks and waiting time constitute detriment to the user. As such, X’s response to my complaint about their cookie practices was also without merit in my view. X’s position effectively boils down to an argument similar to something like ‘but the law doesn’t expressly prohibit kicking a stranger in the shins’ – sure, but the common law offence of battery does prohibit the intentional or reckless application of unlawful force to another. Kicking a stranger in the shins therefore prima facie constitutes an offence.
The ICO’s view
The ICO case officer responded to X explaining that the soft opt-in requires that users are provided with an opportunity to refuse direct marketing when the details are first collected. If this hadn’t been done there had been a breach of PECR. X responded saying they would review their soft opt-in practices. In light of this, the ICO closed this part of my complaint, noting an infringement of the law had taken place but taking no further formal enforcement action.
In respect of the cookies, the ICO case officer then said they believed X had complied with the legislation and that the Customise button was sufficient. This just goes to show that ICO case officers often get decisions entirely wrong and have no regard to their own guidance or precedent decisions. This is probably because the ICO claims their case officers’ decisions are not legally binding and are only an opinion – and so dealing with case officers can be a very hit-and-miss process. Contrary to the FOI process where complainants can appeal to the First-Tier Tribunal if the ICO gets it wrong, data protection complaints do not offer a substantive route for data subjects to challenge the ICO. If the ICO provides a data protection complaint decision that is clearly wrong in law or on the facts, all the data subject can do is request an internal review or commence potentially costly judicial review proceedings in the High Court.
I opted to challenge the ICO case officer’s flawed decision through the ICO’s internal review process. I explained that the ICO’s own guidance provides that having only a customise/more information option to reject cookies is non-compliant: controllers must not emphasise accept over reject. Additionally, Stephen Bonner, the deputy Information Commissioner, had also published a press statement about how the ICO had told Google to add a Reject All button to their consent mechanism and expected others to do the same. Finally, the ICO’s own internal document on adtech harms explicitly says that not including a reject all button on the same level as the accept all button means that any consent is invalid. Surely the only possible conclusion of the ICO’s internal review was that my complaint was therefore valid?
The ICO’s reviewing case officer upheld my request for a review of their original decision about X’s cookies practices. Following some further discussion, the ICO then wrote to X as follows:
I am writing to you further regarding the complaint we received. We have reviewed [X]’s cookie banner and we have identified some issues, it is our view that this banner does not fully comply with the ICO’s current guidance and the data protection legislation.
The issue is primarily regarding the lack of a ‘reject’ option being presented to the user upon first accessing the website, although the cookie banner explains to the user that they can reject non essential cookies by clicking ‘customise’, it is our view that this extra step should not be necessary and only encourages the user to click ‘accept all’.
There are other issues that arise when clicking ‘customise’, the user must wait for the second screen to load while then operating a slider mechanism to choose which option they prefer, in my own testing the default setting did not appear to also be set to ‘essential only’ and sometimes was set to ‘advertising cookies’. After making a choice the user must then wait for another pop up to appear which they must close down manually.
The above in our view is unnecessarily detrimental and may cause the user to click accept all simply out of a desire to quickly access the rest of the site, we have guidance already published on this issue: How do we comply with the cookie rules? | ICO. “A consent mechanism that doesn’t allow a user to make a choice would also be non-compliant, even where the controls are located in a ‘more information’ section.”. The ‘customise’ option in our view is a ‘more information’ section without the same label.
The easy solution to this issue would be to add a ‘reject-non essential’ option to the initial cookie banner, we cannot see any reason why this could not be implemented, the initial reject option is commonplace across the majority of popular websites […].
We would ask that in light of the above you review the cookie banner that you currently have and make these changes to implement a clearer way for a user to make a choice on how their personal data is processed. If you would like to discuss this further please let me know.
ICO reviewing case officer
This is good news. If in future another case officer tries telling me that no reject all option is required, I can now simply refer to this case review outcome in addition to the already published ICO guidance and statements.
The ICO decided not to take any further formal action at this point as X indicated they would review their cookie practices in light of my complaint. I had expected nothing different.
Civil Claim
Because X had failed to respond to my complaints for so long and their eventual responses were lacklustre, I had decided to start my claim for compensation in the County Court. I had sent an N1 Claim Form to the County Court, however as their processing centres were undergoing merging there were long delays in processing new claims.
The Pre-Action Protocol for Media and Communications Claims makes clear that defendants are required to respond fully to a Letter of Claim and make a genuine attempt to deal with the claim at the pre-action stage. Because X had failed to fully respond originally and had refused to engage with me further after I pointed out their responses were insufficient, I made clear that I considered X was in breach of the Pre-Action Protocol and would ask the Court to consider imposing sanctions on X as a result.
However, I was then contacted by solicitors whom X had instructed. Following some discussion, X and I decided to settle my claim (without an admission of fault by X). I therefore stopped my County Court claim which no longer needed to proceed to trial.
X has since made improvements to its cookies practices and has added an equivalent option to reject all unnecessary cookies to its first cookie banner – great! This once again goes to show that it is beneficial to everyone when a data subject exercises their right to obtain compensation in the civil courts and their right to complain to the ICO. However, from my experience, taking direct action through the civil claim route is most effective at driving change if you are confident about your claim. Controllers seem to have learned that the ICO is very unlikely to take formal enforcement action, even if they find infringements have occurred – although the ICO does publish datasets about data protection complaints and their outcomes. A stern ICO advice letter is easily ignored – but controllers can’t just ignore the civil court process without facing adverse court judgments and action to enforce them.
In positive news, the Data Protection and Digital Information (No. 2) Bill will require controllers to operate an effective data protection complaints process. Hopefully, if controllers ignore data protection complaints like X first did, they will soon also face the possibility of ICO enforcement action just for ignoring the complaint.
ICO Enforcement Warning
After my ICO complaint was concluded, the ICO separately warned organisations over need for ‘reject all’ cookies option. Stephen Bonner, deputy information commissioner, warned that organisations that fail to give website users an immediate option to ‘reject all’ when presenting them with cookie banners risk enforcement action. “If you don’t have ‘reject all’ on your top level [cookie banner], you are breaking the law,” Bonner said, according to MLex.
While it would have been helpful for the ICO to announce this on their own website rather than in other media sources, it is welcome. Some proper enforcement action on non-compliance with the cookies legislation is long overdue. Perhaps the ICO has now finally accepted this and is preparing to use its enhanced PECR enforcement powers that it is expected to get under the new Data Protection and Digital Information (No. 2) Bill. A few well-published fines and enforcement notices regarding cookies are likely have a far greater effect than warnings in the press.
See also: Taking the biscuit: websites breaking the cookie rules