On 16 September 2024, the UK's data protection authority, The Information Commissioner's Office (ICO) issued a reprimand against Sky Betting and Gaming (SkyBet) for unlawfully processing people’s data through advertising cookies without their consent.

Between 10 January and 3 March 2023, SkyBet’s website dropped third-party AdTech cookies to visitors' browsers before visitors could accept or reject them via a cookie banner. As a result, the visitors' personal data (e.g., device information and unique identifiers) was shared automatically with third-party AdTech companies without visitors' consent or a lawful basis. The cookies were deployed to allow advertising to be placed on other websites viewed by the visitor.

Whilst the ICO found no evidence of deliberate misuse of personal data to target vulnerable gamblers, it reprimanded SkyBet because it processed personal data in a way that was not lawful, transparent or fair.

This reprimand forms part of the ICO's wider strategy to ensure that individuals' rights and freedoms are respected. The ICO has recently reviewed the UK's most-visited 100 websites and contacted more than half to warn of enforcement action. Many are reported to have implemented improvements, such as displaying a "reject all" button or presenting "accept all" and "reject all" options on an equal footing.

The ICO intends to assess the next 100 most-frequented websites and urges all organisations to assess their cookie banners to ensure freely given consent may be given. The ICO also intends to publish guidance on cookies and tracking technology before the end of the year.

DLA Piper advises all businesses on cookie compliance and is currently engaged by several businesses operating in the AdTech ecosystem, on assessing risk exposure and responding to ICO engagement. Should you wish to discuss this further, please reach out to your regular DLA Piper contact, or the authors of this blog.