A popular UK website used cookies to track me from the moment I visited their website, before their ‘consent’ popup was even shown. It was also harder to reject than to accept tracking cookies, because registration and payment were required to reject. Worse still, even after I’d paid to reject tracking cookies and have a ‘tracking-free’ experience, the website tracked me for behavioural advertising anyway: consent or pay had become consent AND pay. So I sent them a UK GDPR objection and a legal letter of claim, with the intention of taking them to court. The bungling ICO bizarrely refused to investigate my complaints until I sent them a formal legal letter threatening a judicial review, raising serious concerns about the ICO’s ability to regulate non-compliant ‘consent or pay’ models.
Tag: cookie claims
A marketing agency disguised its identity and did not have a functional unsubscribe system in its marketing emails. Additionally, a popular restaurant chain pretended its marketing was a ‘service message’ and a university used dark patterns in its cookies ‘consent’ mechanism.
A controller sent me a marketing email after I signed up for a free trial, but did not give me a choice about this when I signed up. Their cookie banner was also not user-friendly, with no Reject All button available on the first layer. After the controller essentially ignored my complaints, the ICO eventually upheld my complaints and told the controller to add a Reject All button (see their full outcome below). Is the ICO finally doing something about non-compliance with the cookie consent rules?