Premium

UK data regulator admits its own website does not conform to GDPR

Elizabeth Denham, the Information Commissioner. The ICO is to upgrade its cookie tools next week. 
Elizabeth Denham, the Information Commissioner. The ICO is to upgrade its cookie tools next week.  Credit: Paul Cooper 

The UK’s privacy regulator’s own website does not conform to GDPR, the authority has admitted.

The Information Commissioner’s Office admitted that its use of cookies, small tracking files used to record information about visits to a website, was not up to standards set by the EU’s strict privacy laws

The GDPR requires organisations to ask permission before placing these files on someone’s computer, but the ICO’s own website says it relies on “implied consent”. 

Adam Rose, a lawyer at Mishcon de Reya, uncovered the flaw after sending in a complaint to the organisation about cookies. 

In an email sent to him the ICO said: “I acknowledge that the current cookies consent notice on our website doesn’t meet the required GDPR standard,” and adds that it is in the “process of updating” its procedures to comply.

The GDPR, or General Data Protection Regulation, came into force over a year ago, and caused many businesses to spend thousands of pounds updating their systems in order to ensure that they were compliant. 

The law is particularly stringent on the issue of consent, which must be unambiguous and given with the consumer’s full knowledge of what they are agreeing to.

Tough penalties for failing to comply range from €10m (£8.95m), or 2pc of a company’s revenue, to €20m or 4pc of its revenue. 

Lawyers and industry experts said the policy suggested the authority, which enforces GDPR in the UK, had failed to conform to the standards it is meant to be upholding. 

“Cookie pop ups that 'assume' consent or that are not clear or that do not give an easy option to decline the cookies are arguably in breach of the rules, and this shows that even the regulator is not immune from the complexities of getting website notices right,” said Rafi Azim-Khan, a partner at Pillsbury Law. 

“Given the amount of effort some people go to to comply, it's deeply ironic that @ICOnews are lacking in their cookie policy,” said Simon R Jones, a Cambridge-based developer, on Twitter.

The ICO said it had been "open for some time" about the cookie tools and confirmed that it would be updating them from next Monday June 24.

It said it would also be publishing “updated, detailed guidance on cookies for organisations soon.”