The Conservative Party adds an equivalent ‘Reject’ button after my email to their DPO. But Labour initially refused to acknowledge their non-compliance and invited me to complain to the ICO. After the ICO gets involved, the Labour Party also makes the changes I requested – and the ICO records the matter as an infringement of the law.
You’d expect political parties to comply with the legislation their MPs have implemented. In the area of tracking cookies, however, this didn’t seem to be the case. Both the Conservative and Labour Parties used dark patterns in their cookie ‘consent’ mechanisms. These designs made it easier to accept all unnecessary cookies (1 click) than to reject or withdraw them (2 clicks). This was despite the fact that the ICO cookies guidance has advised against such practices for a long time. The ICO also published a joint report with the CMA in 2023, advising that such practices infringe PECR and the UK GDPR (more on this here).
Unnecessary cookies were also being placed before the ‘consent’ banners had even been shown. The banners were clearly not collecting valid consent, even when users pressed the ‘accept all’ button. Therefore, I believed that infringements of R.6 PECR and Article 5(1)(a) UK GDPR had occurred.
I also believed that Article 9 of the UK GDPR was infringed. This is because the tracking of behaviour on the websites of political parties is likely to reveal users’ political opinions, or enables data controllers to make inferences about them (see CJEU Case C‑184/20). Because there was no consent and no other exemption in Article 9(2) seemingly applied, such processing was prohibited in my view.
Conservatives’ Response
I sent a complaint about the above to the Conservatives’ DPO. Two weeks later, I got a helpful update, thanking me for my constructive comments. They also stated they were reviewing their practices as they were aware that they may not meet the current consent standards.
Two weeks later, the issue with unnecessary cookies being placed immediately on website load had been resolved. However, it was still harder to reject all unnecessary cookies than to accept them. I therefore followed this up.
A couple of weeks later, the Conservatives had added a ‘Reject’ button on their main websites, making rejecting as easy as accepting.
Overall, the Conservatives responded in a fairly timely and constructive manner and took action to improve their compliance. Further action, such as a complaint to the ICO, was therefore not necessary.
Labour’s Response
Labour’s response to my complaint, on the other hand, was dismissive and insufficient:
We have reviewed the cookie processes on the website location you have referenced and find that it meets the necessary standards of legislative compliance.
Where you have not found our answer satisfactory, you are able to lodge a complaint about cookies with the Information Commissioners Office (ICO).
Not only did they completely fail to engage with the detailed issues I had raised, they also clearly were not aware of the standards that valid consent must adhere to. Because the Labour Party didn’t go into any detail, I asked them for clarification for their position on two occasions. The ICO expects organisations to clearly explain how they comply with the law, as per the accountability principle in Article 5(2) UK GDPR.
Despite me chasing the Labour Party for an actual response explaining their position, the Labour Party entirely failed to engage further. I therefore submitted a data protection complaint to the ICO, summarised as follows:
When I visited the Labour Party’s website, my data about my website visit was immediately shared with Google. Additionally, unnecessary cookies for advertising/tracking/analytics purposes were immediately placed before any consent banner was shown. Breaches fairness/lawfulness/transparency principle in Article 5(1)(a) UK GDPR and Regulation 6 PECR.
Furthermore, the ‘consent’ banner makes it harder to reject all (min. 2 clicks) than to accept all (1 click), in direct contravention of the ICO’s guidance and recent letter to DPOs at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/11/commissioner-warns-uk-s-top-websites-to-make-cookie-changes/ Breaches Article 5(1)(a) as the ‘consent’ is not freely given and thus invalid.
It is also impossible to withdraw consent later as you cannot reopen the ‘consent’ banner. This breaches Article 7(3) UK GDPR.
Profiling and tracking my behaviour on the Labour Party’s website is likely to reveal my political opinions and to allow third parties to make inferences about them. This therefore constitutes special category data, this is particularly concerning as an election is expected soon. As no valid consent is in place this breaches Article 9(1) UK GDPR.
The Labour Party has failed to properly engage with my concerns and has failed to demonstrate that they are compliant, in breach of Article 5(2) and 7(1) UK GDPR.
Desired outcome: ICO to ask Labour Party to make changes to become compliant:
– Make it as easy to reject as to accept tracking (for example by adding reject all button to initial banner)
– Allow consent banner to be reopened e.g. through a footer link
– Fix issue where users are tracked through Google before banner is even shown.
Three months later, the ICO wrote to the Labour Party, asking them to provide a detailed response to my allegations within 4 weeks. The Labour Party failed to do so.
The ICO then wrote to the Labour Party again, giving them a last chance to respond within 7 days.
Shortly after this deadline, the Labour Party responded to me. They explained that they had made changes to their cookie practices. Sure enough, unnecessary cookies were no longer being placed upon website load and a ‘Reject All’ button had been added to their initial banner.
However, it was still not possible to withdraw consent later in breach of Article 7(3) UKGDPR. This was because it was impossible to reopen the cookie banner.
I therefore asked the Labour Party to take further action to address my outstanding concern. The Labour Party responded just under two weeks later, explaining that they had added a new Cookie Preferences button at the bottom of each page and an update to the Cookie Policy.
This meant all my concerns had been addressed. I therefore agreed that the ICO could close my complaint and they confirmed that they had recorded the matter as an infringement of the law by the Labour Party.
Perhaps this case and the Labour Party’s recent reprimand will inspire changes to respond to data subject complaints more effectively. Although the Labour Party’s initial response was very poor, this improved once they realised a complaint had been made to the ICO.
Read on for my views on the ICO’s ‘consent or pay’ consultation: https://respectmydata.net/2024/03/28/consent-or-pay-is-likely-unlawful-and-must-not-be-entertained-by-regulators/