The Information Commissioner’s Office (ICO) recently issued a reprimand to Bonne Terre Limited (trading as ‘Sky Betting and Gaming’) for unlawfully processing and sharing consumer data with third-party advertising technology companies between January and March 2023.

Reportedly, user data was processed as soon as users accessed the SkyBet website, before giving them the opportunity to accept or reject the relevant ‘cookies’ or consent to the use of their data. Their personal information was subsequently used to generate personalised advertising. This constituted a breach of the UK General Data Protection Regulations (UK GDPR).

In this article we provide an overview of what ‘cookies’ are, discuss the general data protection requirements imposed on companies by the UK GDPR – with a particular focus on the requirements relating to consent – and highlight some of the potential consequences for breaching UK GDPR rules.

Cookies

‘Cookies’ are small text files downloaded when a user accesses a website, which can then be stored to capture information such as website traffic and browsing behaviour. Cookies can either be ‘session cookies’ (those that expire after the user leaves the website and are not stored) or ‘persistent cookies’ (those stored for future use).

Though the use of cookies can allow websites to operate more efficiently, companies can, in certain circumstances, utilise personal data obtained through cookies in other ways, such as for user profiling or targeted advertising (as was the case with Sky Betting and Gaming). Users may object to companies using their data in these ways, and it is therefore important that companies comply with their UK GDPR obligations.

UK GDPR

Four key definitions should be considered in the context of the UK GDPR:

1. Personal data – any information that can be used to identify, locate, or contact an individual. Under the UK GDPR rules, all ‘personal data’ is protected.
2. Data Subject – a person to whom personal data relates.
3. Controller – any person or company that determines how personal data is to be processed (i.e. collected, recorded, stored, used, or erased).
4. Processor – any person or company that processes personal data on behalf of a Controller.

Most UK GDPR obligations fall on Controllers. These obligations are based on several key principles, for example, personal data must be processed in a lawful, fair, and transparent manner, and only be collected for specified, explicit and legitimate purposes.

Consent

A vital consideration for any company that utilises a website is the stringent requirements relating to the consent of Data Subjects. Under the UK GDPR, Controllers must, before processing personal data, be able to demonstrate that the consent of Data Subjects was freely given, specific, informed, unambiguous and valid.

In the context of commercial contracts, companies should be mindful that, where the performance of a contract is made conditional on consent being given by a Data Subject to the processing of their personal data, but the processing of that data is not necessary for the performance of the contract, it is presumed that consent was not ‘freely given’.

Data Subjects must also have the right to withdraw their consent at any time (and they must be informed of this right), and it must be just as easy to ‘opt out’ than to ‘opt in’. For example, if a website user is given the option to ‘accept all’ cookies, they must also be given the option ‘reject all’ cookies in the same way and without additional barriers to doing so.

In an online context, valid consent may be obtained, for example, by users actively ticking a box (or boxes) upon accessing a website; neither pre-selected options, the absence of any selection, nor user inactivity can constitute valid consent.

Enforcement – ICO powers

The ICO possesses wide investigative, corrective, authorisation and advisory powers in relation to breaches of the UK GDPR. The ICO’s corrective powers include:

Reprimands – The ICO may issue a formal letter stating that it believes an organisation has not complied with the UK GDPR. This often includes a list of recommended actions that should be taken by the organisation in order to be compliant with the UK GDPR. A reprimand is typically issued where an infringement is not serious enough to warrant a fine.

Administrative Fines – A fine may be issued in addition to other enforcement measures. Under the UK GDPR, the maximum level of fine is up to is £17,500,000 or 4% of total worldwide annual turnover (whichever is higher).

As demonstrated by the reprimand issued by the ICO to Sky Betting and Gaming, even commercial entities with abundant resources may find themselves in breach of the UK GDPR requirements. A reprimand may not sound overly serious, however, administrative fines imposed by the ICO can be severe, especially for smaller companies. Therefore, companies should be mindful of their ongoing obligations in relation to the collection and use of personal data. Companies should not overlook or underestimate the importance of processing personal data lawfully, and the ease with which the UK GDPR may be breached.

Should you have any queries in relation to your company’s obligations in relation to processing personal data under the UK GDPR, or data protection law generally, please do not hesitate to contact a member of our Data Protection team who would be happy to assist.