norm. data protection bulletin: 04th December 2023

Norm data protection bulletin

ICO & EU Regulators focus on cookies and other similar technologies

This month, both the ICO and EU regulators have issued important statements about ‘cookie law’ and website compliance.

On 21 November 2023, the ICO issued a statement that it has recently written to companies operating some of the UK’s most visited websites regarding their compliance with data protection laws when using cookies. 

The ICO says websites are often not providing users with fair choices as to whether or not they are tracked and has referred to the need to make it simple for users to “Reject All” advertising cookies.  Companies that received this communication from the ICO apparently have 30 days to update their websites to bring them into compliance with the law. 

The ICO says it will provide an update about this in January – which will include details of companies that have not addressed its concerns. Rather ominously, the ICO says “We’re giving companies … a clear choice: make the changes now, or face the consequences.”

On 14 November the European Data Protection Board published new guidelines on the scope of Article 5(3) of the e-Privacy Directive, (which still applies to the UK via the Privacy and Electronic Communications Regulations (PECR)), clarifying that other similar technologies, as well as cookies, are caught by the rule, e.g. URL and pixel tracking –  tracking pixels used to ascertain whether an email has been opened, or tracking links used by websites to identify the origin of traffic to the website, such as for marketing attribution.

Please note, where a technology is caught by the rule, the organisation deploying that technology must obtain prior, opt-in consent before accessing or storing the information, unless the company can demonstrate that the storage of, or access to, the information is strictly necessary for the purpose of delivering the digital service. 

Comment: The use of cookies (and similar technologies) on websites has been a matter of increasing concern to regulators for some time. It seems that the ICO may have decided that the ‘carrot’ approach isn’t working and has started using the ‘stick’.


  • If you have received a letter from the ICO please pass this on to us immediately.
  • If your website is using any technologies in addition to cookies, to track users, pleaseask your colleagues responsible for your website tolet us know about these.
  • Your DPO team will soon carry out an exercise to check your website. We will let you know whether we consider it complies with data protection/ePrivacy laws when using cookies (and any other similar technologies that you make us aware of).

Get norm.’s data protection bulletin direct to your inbox

norm. tracks and monitors the latest data protection developments and collates these into a monthly data protection bulletin.

You can receive this bulletin for free, every month, by entering your business email address below: