By Charlotte Halford


Publish 11 January 2024


The ICO has published an example of the cautionary letter it issued to selected companies in November warning them to ensure their use of advertising cookies complies with data protection law.

In our December newsletter, as part of our commentary on the crackdown on cookies across Europe, we highlighted the warning issued by the ICO in November. Shortly after publication of our newsletter, the ICO elected to publish the letter in full to enable all companies to see their advice. The letter is noteworthy for any companies which have use cookies on their website, and also serves as a clear indication that the ICO is taking the prospect of action against companies seriously.

The letter confirms that the ICO had undertaken assessments of cookie banners on the top 100 UK websites (based on active time spent by UK visitors) to check whether:

  • non-essential advertising cookies are placed before the user has the opportunity to provide consent;
  • users can reject non-essential advertising cookies as easily as they can accept them; and
  • non-essential advertising cookies are placed even if the user did not consent to such cookies.

Other areas of compliance with data protection and e-privacy legislation were not assessed.

The anonymised letter sets out which of the three circumstances may have been applicable to the particular website, with screenshots provided to each relevant company.

As part of their response, the companies contacted were asked to address the specific concerns within one month of the letter (dated 15 November 2023), thus bringing their cookie banner into compliance with the requirements of PECR and UK GDPR. Companies were given the opportunity to seek an effective extension provided they could set out the steps they would undertake and the timescales for doing so.

The ICO concludes that further assessments will be completed, and dependent on the outcome, further action may be taken. The ICO highlights that it has been working with the Competition and Markets Authority on harmful website designs (which we commented on here), and that the publication of names of companies with deficient sites is considered to be an appropriate step. We await the potential publication of companies failing their obligations with interest.

Aside from the regulatory enforcement risk associated with cookies non-compliance, there is also the risk of claims from individuals. As we noted previously, DAC Beachcroft has handled numerous compensation claims brought by individuals alleging that they have suffered harm as a result of cookies being placed on their device, without their consent. However, importantly, there is no entitlement for compensation for simply a technical breach of PECR / UK GDPR, any claimant must provide evidence of the material damage that they have suffered as a result of the breach, and that damage must exceed the "de minimis".

The letter can be found here.