It’s been a busy start to 2024 at the Information Commissioner’s Office (ICO). On top of launching a consultation on the legal implications of generative AI, the UK regulator continues to wrestle with the significant impact of Google’s Privacy Sandbox on data protection.
In late November, the ICO issued a final warning to 53 of the UK’s 100 most frequented websites to make changes to their cookie policy in line with data protection laws within 30 days, or face consequences. Thirty-eight of them have since changed their cookie banners to comply; others are close on their heels whilst others are developing alternative solutions.
No one likes change, particularly that which threatens existing business models, and there have been predictable grumbles from those in the publishing fraternity on this ‘new’ set of obligations.
ICO privacy warnings set out three key criteria
No one can accuse the ICO of lacking patience or blindsiding the online media industry. Over the years, the ICO has taken great pains to ensure data protection compliance within digital marketing through multiple consultations and guidance reports. In the warning letters sent by the ICO, they reiterated that publishers must adhere to the following three criteria within the 30-day period:
Websites must not activate any advertising tracking technologies, nor access or store third-party cookie data without the consent of the user.
Websites must respect that the user holds the power to withhold and withdraw their consent, and must honour these in practice. To achieve this, publishers needed to ensure their consent management tools (CMPs) were functioning correctly and effectively.
Likely the most significant call to action was the need for publishers to present a clear ‘Reject All’ option that is equally as prominent as the ‘Accept All’ cookies option when users visit the sites.
[Read more: Publishers mull ‘consent or pay’ in response to ‘reject all’ cookies button policy]
Despite cracking down on user tracking with an iron fist, the ICO can hardly be labelled as anti-advertising privacy zealots. The regulator is responsible for enforcing the UK GDPR and ePrivacy Directive (PECR), and their actions are well within this remit. Since the letters went out, they have taken demonstrative actions to engage the industry and help mediate the changes.
Moreover, the ICO has made it clear that their efforts are not limited to the top 100 websites alone. As mentioned in the latest update, they are already preparing to write to the next 100 – and the 100 after that.
To scrutinise such a high volume of publishers, the ICO has said that they are developing an AI solution. This is the key point all publishers, big and small, should take note of. To better understand how this works, we’ll have to wait for the regulator’s promised ‘hackathon’ event this year.
Publishers looking for privacy ‘solid ground’
With the threat of a significant loss of consented traffic, publishers are naturally seeking greater clarity from the ICO and exploring new solutions to fill the potential dip in revenue. However, any new compliant solutions will require time and significant resources to develop, so publishers are looking for ‘solid ground’ before undertaking any major investment.
Across much of Europe, regulators have been steps ahead of the UK on the issue of dark patterns, and the industry has already started exploring alternative approaches. For example, the PUR or ‘Pay or Consent’ model has gained some traction with European publishers.
For all intents and purposes, each EU Data Protection Authority (DPA) has spent the last five years constructing its own interpretation of GDPR, which unsurprisingly is creating more grey areas than not. It’s therefore understandable that publishers are seeking clarity on what tracking use cases are still allowed and what are not.
Although the guidance varies by market, 12 DPAs have already issued their guidance on ‘Pay or Consent’. This is something that is likely already on the list for the ICO to investigate, to ensure that the model works in practice, and that it’s a workable solution, with the least friction for both publishers and users.
Luckily, publishers might get the clarity they’re seeking on how alternative models can be implemented in compliance with the law as early as this month.
‘Challenging year’ for publishers ahead
Publishers face a privacy conundrum — track consumer data and risk alienating readers, or abstain and jeopardise financial stability.
Regulations like GDPR have forced publishers to rethink tracking methods and turn to the likes of contextual advertising and anonymised data analysis. Even if they’re not using data tracking for ad targeting, many publishers argue that they will still need some level of tracking for other use cases, such as brand safety, verification and fraud detection. Some DPAs, including Spain and Finland, agree that these use cases can be deemed legitimate for processing.
Similarly, the ICO needs to recognise and educate themselves on the various use cases of online tracking apart from ad personalisation and formulate their guidance accordingly. For publishers, this goes beyond complying with ICO action and has more to do with the issue of tracking as a whole and recognising the need for coherent tracking strategies.
There is still some hope that the forthcoming UK Data Protection and Digital Information Bill will offer much-needed guidance on what is acceptable. As publishers retreat into their bunkers to plan their strategies, this could be the impetus for the industry to collaborate to formulate unified solutions for regulators and buyers.
Looking at the 2024 privacy roadmap, things will get a lot more complex for publishers. Along with the implementation of Google’s Privacy Sandbox and the integration of new ID solutions, the global regulatory playing field is going to take a lot of work to navigate.
Add to this new UK legislation, continued US state fragmentation and a myriad of niche vertical regulations covering a range of sensitive data topics, and it’s looking like a challenging year for publishers, with change being the only constant.
Email pged@pressgazette.co.uk to point out mistakes, provide story tips or send in a letter for publication on our "Letters Page" blog