As the next stage in its campaign to “crack down” on websites which aren't complying with the law around advertising cookies the ICO has publicised its enforcement action against an on-line gambling website, as “a warning that there will be consequences if organisations breach the law”.
An interesting aspect of the decision is that the enforcement action is framed as relating to infringements of Articles 5(1)(a), 6(1)(a) and 7(1) of the UK GDPR, whereas the requirement to obtain prior consent for the deployment of cookies originates under the Privacy and Electronic Communications Regulations ("PECR").
The violation was possibly unintentional, as the website had a pop-up consent to cookies, but an investigation revealed that some cookies were deployed before this pop-up was displayed (so before any consent had been obtained). In addition, the website operator moved rapidly to comply once it received a notice from the ICO, rectifying the issue on the following day. Given this background, it seems likely that the ICO chose to focus on the GDPR aspects because this enabled it to use the “softer” option of a reprimand, which does not exist in relation to PECR.
However it is worth noting for the future that this approach also opens up the possibility of using the monetary penalties of GDPR for data processing relating to cookies, which are significantly higher than the £500,000 maximum for PECR infringements. It is perhaps for this reason that the decision notice describes the action as “effective, proportionate and dissuasive”.
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-08-23-11-31-07-354-66c872fb971eecc249d83d40.png)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-09-12-14-41-56-235-66e2fdb4606007ce058bc8ed.jpg)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-09-11-11-20-22-122-66e17cf6fd5f6342208caac2.jpg)