Oh crumbs: the ICO reprimands Sky Bet for cookie failures and signals wider cookie crackdown

What was the breach and what did the ICO do about it?

In October 2022, the ICO opened a regulatory investigation into SkyBet, off the back of a report commissioned and published by a gambling pressure group covering digital profiling in the online gambling industry more generally.

In the course of carrying out its investigation, the ICO identified that between 10 January 2023 and 3 March 2023, web users visiting the SkyBet website (skybet.com) had had third-party ad-tracking cookies placed on their devices, prior to having any opportunity to give or withhold consent for the processing of their personal data.

Users were presented with a cookie banner on arrival to the SkyBet website. However, before the cookie banner had loaded or the user had had any chance to indicate their preferences via the banner, around 40 individual cookies, which would gather personal data relating to the user, had already been placed on the user's device. This was being accomplished via an ad-tracking "pixel" belonging to a third-party demand-side platform by the name of MediaMath, which was embedded in the SkyBet website.

This issue was rectified on the SkyBet website within 24 hours of it being brought to SkyBet's attention by the ICO in early March 2023. Nevertheless, the ICO found that SkyBet had breached aspects of Articles 5, 6 and 7 of the UK GDPR. The ICO held that SkyBet had decided to rely on consent as the lawful processing basis under which it would process users' personal data, but then – by placing tracking cookies without prior consent – it did not meet the conditions required for that processing basis. It was also found that SkyBet had failed to process personal data lawfully, fairly and in a transparent manner, as required under the UK GDPR. Interestingly, the reprimand does not mention the fact that the failure to obtain consent before placing cookies is also a breach of the Privacy and Electronic Communications Regulations or PECR, focusing instead on the related UK GDPR breaches.

Wider ICO emphasis

In its announcement of the reprimand issued against SkyBet, the ICO also highlighted its wider programme of work on cookie non-compliance (of which the investigation into SkyBet formed just one part). It described its efforts as "working to crack down on websites that do not offer people a fair and informed choice over whether they want their personal information to be used for targeted advertising".

As part of this, the ICO carried out a review the UK's top 100 websites last year, reaching the eyebrow-raising conclusion that of these 100 sites, more than half (53) were non-compliant in one or more aspects of how they sought, and ostensibly obtained, user consent to the gathering (via cookies and similar technologies) of personal data for advertising purposes.

This review focused particularly on three types of non-compliant practice:

• placing non-essential cookies on a user's device before the user responds to the request for consent, as was the case with SkyBet;
• cookie banners with user interface features that had the effect of making it harder for a user to withhold consent than to give it – for example, providing a single "accept all cookies" button, but not including an equivalent "reject all" button, or requiring a user wishing to withhold consent to "untick" several different boxes; and
• placing non-essential cookies on user's devices even if the user withheld consent via the cookie banner.

The ICO then pursued an engagement process with those websites it had identified as non-compliant following its review. It has expressed its satisfaction with the level of engagement it received from the majority of respondents, as well as with the ultimate outcome, with 99 out of those 100 websites having implemented changes in response.

The single "outlier" website which, in the ICO's view, failed to engage in the process and to implement any changes is named in the announcement. Notably, in the same announcement, the ICO states unequivocally that this website "will now be investigated for its use of cookies and apparent failure to register with the regulator."

Consequences and considerations for companies generally

As the ICO identified non-compliant practices in more than half of the UK's top websites prior to its intervention, it seems likely that a similar review of other UK websites would yield similar, if not more pronounced, levels of cookie non-compliance. With the ICO clearly signalling that it is not finished, it is equally likely that the regulator's scrutiny in this area will extend further still. The ICO has spoken about using automated scanning tools to expand its capacity to check sites' cookie law compliance.

In this context, companies should review their compliance with the relevant requirements and ensure none of the specific issues mentioned above are present or in action on their own websites. If, following this, any non-compliance is identified, companies would be well-advised to take proactive steps to rectify their cookie practices before they attract the attention of the ICO. Cookie compliance has also been under scrutiny in the EU, for example with the cookie "taskforce" set up by the European Data Protection Board.

It is notable that the ICO has looked favourably on constructive engagement and prompt remediation of issues. Conversely, failure to engage with the ICO and its "call to action" may very well lead to a formal regulatory investigation, with the prospect of regulatory sanctions and all the associated reputational and financial risks.

If you found this article interesting, you might be interested in our recent piece on the ICO's ongoing broader efforts to enforce cookie compliance, as well as our monthly data protection bulletin, for which you can register here.
 

Authors

• Katie Hewson, partner
• Joanne Elieli, partner
• Doug Henderson, trainee solicitor