UK ICO Call for Reject All Button on Cookie Banners: Navigating Compliance and Privacy


6 min read
Table of contents

The announcement from UK ICO, dated November 21, 2023, highlights a significant warning issued by the Information Commissioner to some of the leading websites in the United Kingdom. The nature of this warning is rooted in the imperative for these websites to make essential changes in their handling of cookies to align with data protection laws. The Commissioner has explicitly cautioned that failure to implement these necessary changes could result in enforcement actions against the non-compliant websites. The announcement underscores the growing emphasis on ensuring that top-tier websites adhere to stringent data protection regulations, emphasizing the regulatory authority's commitment to upholding privacy standards in the digital landscape.

UK ICO's Call for Reject All Button on Cookie Banners: Navigating Compliance and PrivacyUK ICO's Call for Reject All Button on Cookie Banners: Navigating Compliance and Privacy

UK ICO's Call for "Reject All" Button on Cookie Banners: Navigating Compliance and Privacy

The Regulatory Shift

In a bid to fortify user privacy and elevate transparency in the digital realm, the UK's Information Commissioner's Office (ICO) and the Competition & Markets Authority (CMA) have jointly issued a resounding call to action. Through a blog post and a comprehensive paper titled "Harmful Design in Digital Markets," the regulatory bodies underscore the significance of addressing harmful design practices in cookie consent banners. Central to this directive is the insistence on the integration of a "Reject All" button within websites, signifying a pivotal shift with far-reaching implications for businesses, especially those entrenched in digital marketing and publishing.

The Urgent Need for Change

At the heart of the ICO and CMA's initiative is the imperative to ensure that users have an equal and straightforward ability to reject non-essential cookies as they do to accept them. The outlined harmful practices include nudging users towards personal data collection, confirm-shaming tactics, biased framing, bundled consent for multiple purposes, and default settings that compromise privacy. The recommended remedy involves the incorporation of a prominently displayed "Reject All" button on the initial layer of consent banners, mirroring the visibility of the "Accept All" option.

Swift Action and Potential Enforcement

Compliance becomes paramount for companies operating in the UK, with the ICO signaling a proactive approach to enforcement. The initial focus will be on the most frequented websites, potentially impacting large publishers, social media platforms, and popular brands. While no specific cutoff is defined, being among the top 100 sites in the UK in terms of web visits is indicative of increased scrutiny.

Is a "Reject All" button mandated by the updated IAB TCF 2.2 Policies?

The updated TCF Policies do not necessitate CMPs to include a specific call to action enabling users to decline consent directly from the initial layer of their user interfaces (UIs). In instances where the TCF policies do not explicitly address certain requirements, publishers are strongly advised to stay informed about the specific guidelines outlined by their local Data Protection Authority. It is crucial for publishers to remain vigilant and act in accordance with these local regulations to ensure comprehensive compliance beyond the scope of the TCF policies.

While IAB TCF provides a standardized approach aligned with GDPR and the ePrivacy Directive, the ICO's local guidance takes precedence. Organizations should brace themselves to adhere to the ICO's recommendations, even if they deviate from TCF norms.

Interpreting "Reject All" and Impact Assessment

Implementing a "Reject All" button prompts critical questions about its interpretation within the realm of consent strings. Two primary interpretations include a "Reject All" state prohibiting the collection of personal data for ads and a "Legitimate Interest Only" stance allowing data collection for declared legitimate interests. With testing indicating rejection rates between 20-30%, the potential impact on online revenue demands careful consideration and strategic planning.

Unpacking ICO's Warning to Top Websites

Recent statements from the ICO underscore the urgency of compliance. Websites failing to offer fair choices regarding personalized advertising tracking face enforcement action. The ICO has written to companies overseeing the UK's most visited websites, outlining concerns and providing a 30-day window for compliance adjustments.

Stephen Almond, ICO Executive Director of Regulatory Risk, emphasizes the need for change, citing instances where targeted ads intrude upon personal experiences. The ICO's imminent update in January will shed light on companies that have not addressed these concerns, forming part of a broader initiative to safeguard individuals' rights within the online advertising industry.

"Consent or Pay" and "Consent or Sign Up" models

In addition to the warning issued by the Information Commissioner to some of the UK's prominent websites regarding compliance with data protection laws, there's an intriguing development for publishers seeking a seamless transition. Publishers now have the opportunity to integrate with the Uniconsent CMP API, a solution designed to facilitate the implementation of consent models such as "Consent or Pay" and "Consent or Sign Up."

This integration brings a new level of ease for publishers, offering a straightforward pathway to adopt innovative models in collaboration with Transfon's CIAM (Customer Identity and Access Management) and paywall product, UniSignIn. The interoperability of Uniconsent CMP API allows for a harmonious integration process with not only UniSignIn but also other CIAM and paywall products available in the market.

The "Consent or Pay" model, proven successful in Germany and now available for integration, enables users to choose between allowing targeted advertising or opting for an ad-free experience through a subscription fee. Similarly, the "Consent or Sign Up" model provides users with the option to consent to data collection in exchange for an enhanced user experience or the opportunity to sign up for additional services.

This development marks a significant stride for publishers, as it provides a practical and efficient means of implementing these consent models. The integration with Uniconsent CMP API ensures that publishers can seamlessly navigate the complexities of compliance while enhancing user engagement and privacy standards. As the digital landscape evolves, this integration offers a tailored solution for publishers to meet the requirements set forth by the Information Commissioner's warning, further solidifying the commitment to responsible data practices.

In conclusion, the ICO's call for a "Reject All" button signifies a significant stride towards fortifying user control over personal information. Businesses operating in the digital sphere must pivot swiftly to align with these guidelines, exploring alternative models if necessary, to strike a delicate balance between user privacy and sustainable revenue. The landscape is evolving, and proactive engagement with DSP and SSP partners remains crucial to understanding potential consentless advertising solutions in development. As the digital terrain undergoes transformation, adaptation becomes the key to navigating this new era of privacy-centric practices and regulatory mandates.

About UniConsent

UniConsent is a part of Transfon User Experience Platform that serve tens of millions of users per day to provide a seamless experience for both users and publishers in the age of post-GDPR. Contact us to know more:

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up

Get started to make your website and application compliant for EU GDPR, US CPRA, CA PIPEDA etc

Sign up