Some of the most popular websites in the country have received warnings from Britain's data protection regulator that they could face penalties if they continue to force users to accept advertising cookies.
The top websites in the UK were given a 30-day deadline by the Information Commissioner's Office (ICO) to abide by the country's privacy laws, failing which they would "face the consequences."
The issue is how these sites permit individuals to opt-out of advertising cookies, with the ICO stating that they have a legal obligation to make it as easy to "Reject All" advertising cookies as it is to "Accept All."
This comes after TikTok was fined €5 million (roughly $5.4 million) by France's data protection authority, the CNIL, in January for having a cookie banner on its website featuring a one-click option to accept all cookies but not to refuse them.
Even though the underlying laws were identical, security specialists noted at the time that the British regulator was not adopting the same standards.
In January, the ICO did not respond to inquiries about its enforcement.
Numerous popular UK websites, including The Times and The Guardian, do not offer a single-click option to refuse cookies. Instead, the cookie banner on those websites directs users to a configuration page.
The ICO's guidance on the subject was later published in August, despite the fact that the existing rules were already available on its website.
"We've all been surprised to see ads online that seem designed specifically for us - an ad for a hotel when you've just booked a flight abroad, for example," said Stephen Almond, the watchdog's executive director of regulatory risk.
“Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation,” Almond warned.
In January, the ICO said it will provide an update on its efforts to prosecute offenders, "including details of companies that have not addressed our concerns."
Cookie consent pop-ups have become an industry tactic in response to the European Union's ePrivacy Directive and General Data Protection Regulation (GDPR), which were intended to give citizens of the bloc the ability to withdraw their consent from being tracked and profiled across the web by advertisers.
Despite the fact that the UK has left the European Union, the same legislation is still in effect.
The directive requires websites to block all marketing cookies and trackers from being loaded into users' browsers until they receive explicit permission from those users. Sites are not permitted to pre-check boxes or use 'consent toggles' to make it easier to consent to cookies rather than decline them, though this is rarely observed in practice.
There is an exception for "strictly necessary" or functional cookies, such as those used to ensure page content loads quickly, count visitors (without profiling them), and remember the items in online shoppers' baskets.