The Information Commissioner’s Office has admitted to the use of cookies on devices has failed to meet the required GDPR standard.

Uncovered by Adam Rose, a lawyer at Mishcon de Reya, a complaint was sent to the ICO regarding the cookies on their website. Rose argued that the cookies was in breach of Article 6 of the Privacy and Electronic Communications Regulations (PECR) 2003 – which sits alongside the EU General Data Protection Regulation (GDPR).

In an email back to Rose, the ICO responded stating:

“I acknowledge that the current cookies consent notice on our website doesn’t meet the required GDPR standard. We are currently in the process of updating this.”

The email went on to state that amendments will be made during the week commencing 24 June.

Matt Lock, Director of Sales Engineer at Varonis commented:

“That the ICO dropped the ball in following its own rules, then admitted to their mistake is admirable. The ICO isn’t the first organization to be confused by the wording and the requirements of the GDPR, and it certainly won’t be the last. The news shows that additional clarification and guidance would not only be helpful, but necessary.

“In the months leading up to the GDPR, companies pored over the regulation to update their websites and policies. Along the way, they needed to make sense of rather ambiguous wording. The ICO’s missteps are an opportunity for them to teach others and provide more accessible language around the GDPR.”

The ICO’s admission to the mistake has drawn the attention of industry experts stating that watchdog are unable to follow it’s own device.

@privacyminion tweeted:

“They have always done that. Do as we say not do as we do. They did it before with the first cookie banner they launched. They did it with the “policy document” under UK DPA18. To name just 2!”

@simonrjones tweeted:

“Given the amount of effort some people go to to comply, it’s deeply ironic that @ICOnews are lacking in their cookie policy. I see they use a tool (Civic) for this. Are there any tools that actually meet current best practises?”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/


comments powered by Disqus