ICO reprimands Sky Betting and Gaming for using non-essential cookies without users’ consent

The question

What proactive steps should website operators take to ensure that their use of cookies complies with UK data protection law?  Put another way, are you sure personal data is not being collected by your website’s advertising cookies before users have consented to their deployment?

The key takeaway

The UK’s Information Commissioner’s Office (ICO) is stepping up enforcement in the area of cookie use. The action against Sky Betting and Gaming (Sky Betting) reminds organisations of the need for care over the use of cookies on their websites, including those used for advertising purposes. Website visitors must always be given information about cookies, and the option to accept or decline non-essential cookies, before the cookies are placed or any personal data derived from them is processed or shared with third parties.

The background

Following a report by the campaign charity Clean Up Gambling, an investigation was conducted by the ICO into the use of consumers’ personal information by Sky Betting. Although a pop-up cookie banner appeared when users first visited Sky Betting’s SkyBet website and which allowed them to “accept All Cookies”, the ICO found that some advertising cookies were actually placed (and personal data transferred to third parties) as soon as website visitors accessed the site and before they could choose to consent to the use of these cookies.

The development

In September 2024, the ICO issued a reprimand to Sky Betting for unlawfully processing consumers’ data in a seven-week period from January to March 2023. The placement of advertising cookies enabled website visitors’ personal information to be processed by third party adtech providers without the individuals’ consent. Although the ICO concluded that this was not deliberate, processing personal data in this way was not lawful or fair under the UK GDPR and it issued the reprimand on the basis of infringements of Article 5(1)(a) (lawful, fair and transparent processing), Article 6(1)(a) (consent) and Article 7(1) (controller to demonstrate consent). Notably, the ICO enforcement notice solely focuses on the UK GDPR, rather than also referring to the cookie consent provisions in PECR.

As part of its decision to issue the reprimand, the ICO examined the potentially harmful impacts resulting from Sky Betting’s infringements, such as loss of freedom of choice and privacy intrusion, which the ICO viewed as heightened in respect of gambling websites. In processing personal data before giving users the opportunity to consent, the ICO alluded to concerns over facilitating gambling addictions through targeted ads to vulnerable data subjects. The ICO also took into account Sky Betting’s existing processes, such as account set-up checks for underage and self-excluded gamblers and removal of certain individuals (such as those near or at their spending limit) from marketing lists, as well as the contractual terms of Sky Betting’s agreement with the relevant demand side platform, which contained restrictions on the use of personal data and information conveyed about data subjects.

The ICO recommended that Sky Betting reviews its processes to ensure compliance with the UK GDPR and obtains valid consent from users before placing non-essential cookies. Any failure by Sky Betting to comply with the law as set out in the ICO’s reprimand may also be taken into account as an aggravating factor should the ICO conduct future investigations against Sky Betting for data protection infringements.

Why is this important?

The ICO is increasing its monitoring of the use of cookies and other tracking technologies. This issue has also been a focus of EU regulators, for example in Belgium (against Mediahuis) and in France (against Yahoo). In a press release, the ICO Deputy Commissioner Stephen Bonner indicated that enforcement action against Sky Betting is a warning for organisations who breach the law and deny consumers the choice of whether to enable targeted advertising.

As part of its strategy to improve compliance, the ICO recently reviewed how the top 100 websites in the UK were using advertising cookies. It wrote to 53 of these websites to warn them of enforcement action if they did not change how users’ data is processed. 52 of these websites either fixed the infringing issue or took steps to resolve it. The ICO has said it is planning to review the next 100 websites (“and the 100 after that”) on the same basis.

By issuing its reprimand against Sky Betting, the ICO has exposed the consequences of the unlawful use of non-essential cookies, even where an organisation has not deliberately misused website users’ personal data. Organisations using advertising cookies and similar technologies on their websites and apps should be aware of the ICO’s willingness to scrutinise non-compliance, which may occur in the absence of a specific individual complaint.

Any practical tips?

This development underlines the importance for businesses to proactively review how cookies on their websites are actually operating, and critically to actively ensure that non-essential advertising cookies are not placed before a user has given their consent. They should also keep an eye out for guidance from the ICO on the use of cookies and similar technologies which is expected to follow.

Winter 2024