ICO Updates Cookie Compliance Guidance; Issues Notice of GDPR Fine to Marriott

The news continues out of the United Kingdom on the General Data Protection Regulation (GDPR) this week.

Marriott Receives Notice of 99 Million Pound GDPR Fine

The UK Information Commissioner’s Office (ICO) has issued Marriott a notice that the breach of the Starwood reservation database could result in a 99 million pound ($124 million USD) fine under GDPR. The potential GDPR fine is about 2.4% of Marriott’s total annual revenue.

The notice of fine became public when Marriott International disclosed it publicly to shareholders by notifying the U.S. Securities and Exchange Commission. The ICO subsequently commented on its decision to issue the notice.

The Information Commissioner indicated that organizations must carry out due diligence when making a corporate acquisition and put in place accountability measures to assess how the personal information is protected. The ICO found that failed to understake sufficient due diligence when it bought Starwood and that Marriott should have done more to secure its systems.

The ICO indicated that the data breach exposed the personal data of around 30 million residents of 31 countries in the European Economic Area, including 7 million residents of the UK.

This is the second notice of a GDPR fine that has been disclosed this week. The notice of intent to fine typically proceeds a response/appeal from the recipient as well as, when the data protection authority is the lead supervisory authority under the one-stop shop provision, commentary from the other data protection authorities impacted by the fine. So there is still the possibility that a higher or lower fine is issued.

Earlier this week, it was disclosed that the ICO sent notice of a fine to British Airways in the amount of 183.39 million pounds (approximately $230 million USD). British Airways suffered a data breach last summer from malware on their website. The breach implicated the personal data of approximately 500,000 people. The previous record fine by a data protection authority was issued by France against Google for violations of GDPR regarding its Android operating system.

New ICO Cookie Compliance Guidance

The ICO also updated its guidance on cookie compliance last week. The blog post that accompanied the release of the guidance indicated that:

1. Organizations can’t rely on implied consent for the use of cookies.
2. Analytics cookies are not strictly necessary and therefore require consent.
3. Cookie walls are unlikely to represent valid consent although the ICO is continuing to consider the validity of some partial cookie walls.
4. Legitimate interest can not be relied on to set cookies – consent is always needed for non-essential cookies.

The result is that websites will need to disclose and gather express affirmative consent for non-essential cookies. The formal import of the GDPR consent standard to cookie banners started with the Dutch DPA in March which declared that websites must remain accessible for users refusing tracking cookies. The Autoriteit Persoonsgegevens (“AP”) declared that users did not have free choice to accept or reject tracking cookies when there is a cookie wall.

The updated guidance from the ICO comes as the UK data protection authority has just updated its cookie consent management after admitting that its prior system did not meet the GDPR consent standard. The evolution may also be a sign that data protection authorities are not going to wait for the negotiations over the ePrivacy Regulation (ePR) to reach a consensus before taking action against organizations which have deficient cookie notices.

As part of the blog post, ICO indicated that cookie compliance is going to be an regulatory priority. The blog post also told organizations that they should start working towards compliance now by undertaking a cookie audit and document their decisions in order to avoid regulatory action. If your organization needs assistance with its cookie banners and cookie consent, contact Clarip at 1-888-252-5653.