Navigating the Shifting Tides of Cookie Law: Recent Developments from ICO and EU Regulators


In the ever-evolving landscape of data protection and privacy, the past month has seen significant developments in the realm of ‘cookie law.’ Both the Information Commissioner’s Office (ICO) in the UK and the European Data Protection Board (EDPB) have issued crucial statements regarding website compliance and the use of cookies. 

ICO’s Call to Action 

On 21st November 2023, the ICO took a decisive step by issuing a statement directed at companies operating some of the UK’s most visited websites. The focus was on ensuring compliance with data protection laws when utilising cookies. 

According to the ICO, many websites are falling short in providing users with fair choices regarding tracking preferences. One notable recommendation from the ICO is the emphasis on simplifying user options, particularly by offering a clear and easily accessible “Reject All” choice for advertising cookies.  

Companies that received this communication from the ICO have been given a 30-day window to update their websites and align them with the legal requirements. The ICO has further hinted at potential consequences for those who fail to comply with the directives. An ominous statement warns companies that they face a clear choice: make the necessary changes promptly or be prepared to face the consequences. An update is promised in January, which will likely include details of companies that have not addressed the ICO’s concerns. 

EDPB’s Expanded Guidelines 

Just days earlier, on 14th November, the European Data Protection Board added to the regulatory discourse by publishing new guidelines related to Article 5(3) of the e-Privacy Directive. This directive, still applicable to the UK through the Privacy and Electronic Communications Regulations (PECR), outlines the rules regarding the use of cookies and similar technologies. 

The EDPB clarified that the scope of Article 5(3) extends beyond traditional cookies to include other tracking technologies like URL and pixel tracking. The latter involves tracking pixels used to determine if an email has been opened and tracking links used by websites to identify the origin of traffic, crucial for marketing attribution. 

Consent is Key 

A key takeaway from the EDPB’s guidelines is the insistence on obtaining prior, opt-in consent for deploying such technologies. This means that organisations using cookies or similar tracking mechanisms must secure user consent before accessing or storing information, unless it can be demonstrated that such access is strictly necessary for delivering the digital service. 

As we enter a new era of digital privacy, the ICO’s call for immediate action and the EDPB’s expanded guidelines underscore the growing importance of transparent and user-friendly approaches to cookie usage. Website operators must navigate these evolving regulations carefully, ensuring not only compliance with the law but also respecting user privacy through clear and easily accessible choices. The message from regulators is clear: adapt now or face the consequences in an era where data protection is paramount. 

If you wish to speak to a Data Protection Officer, and benefit from a complimentary 30-minute consultation, please contact