U.K. publishers and the ICO still grapple with offering a ‘reject all’ cookies option amid revenue concerns

As a Digiday+ member, you were able to access this article early through the Digiday+ Story Preview email. See other exclusives or manage your account.This article was provided as an exclusive preview for Digiday+ members, who were able to access it early. Check out the other features included with Digiday+ to help you stay ahead

In November, some of the top publishers by traffic in the U.K. were alerted by the Information Commissioner’s Office (ICO), the legislative department tasked with upholding data privacy compliance in the U.K., that their on-site cookie consent pop-ups do not meet the requirements set by the Privacy and Electronic Communications Regulations (PECR) and General Data Protection Regulation (GDPR).

The ICO warned upwards of 100 of the top sites in the U.K. that they would be fined if they did not update their third-party cookie consent banners within 30 days to have a “reject all” button that’s of equal prominence as the “accept all” buttons.

But for media companies, adding the “reject all” option is not a simple bit of code. There are significant financial consequences that could come from making that change, according to three publishers who’ve tested what the realistic decline rate will be once that option is presented to their audiences. And the ICO’s notice calls into question how it would enforce the issue to the other publishers operating with a presence in the U.K.

Jo Holdaway, chief data and marketing officer at The Independent, said that based on tests where the “reject all” option was added, non-consent rates increased by about 20%, which “materially affects our monetization capabilities.” But based on additional modeling, she said it’s possible that those rates will increase even further, up to 40-50% industry wide. She did not provide exact rates.

“What I’m hearing [from publishers in the EU] is that the consent rates are going through the floor and that’s having a material impact on publishers’ revenues,” said James Rosewell, co-founder of Movement for an Open Web, an organization created to help digital businesses operate free of restrictions set by giant tech corporations.

The ICO has collaborated with publishers thus far on identifying solutions for making cookie consent pop-ups privacy compliant, according to all three media execs who spoke with Digiday for this story. Per an email from an ICO spokesperson, “We have written to organisations, including some in the media industry, to set out that, under data protection law, website users should be given genuine choice and control over their personal data. We are supporting these organisations to understand how they can make changes to comply with the law.” The ICO did not make a representative available for this story.

Why ‘reject all’ poses a problem

At this point in time, “not many publishers are using reject all, which is why the ICO is concerned. And understandably so,” Holdaway said. But there isn’t a solution that exists right now to both satisfy the privacy regulation concerns without making material impact on a publishers’ revenue.

“We want a free press. It’s really important for premium publishers… to be able to monetize their audience because this sort of quality journalism costs a lot of money to produce. And I think the public are aware of this and want to be treated fairly, but we couldn’t run a viable business if we didn’t monetize our audience, either to ad funded or reader revenues,” Holdaway continued.

Working in lock step with the ICO, Holdaway said that her team is testing two alternative solutions to see if that will remedy the situation. The first is investing in non-personalized ad solutions (AKA cookieless solutions) like contextual advertising, which requires a degree of adoption across the digital advertising market. And the other solution is reader revenue via a similar approach to what Meta unveiled last year, which is a payer consent model that gives a user an ad-free experience in exchange for a monthly or annual subscription fee — though that model is also receiving challenges from EU regulators

What’s more, Holdaway said that the resources within the DevOps team are limited and what she doesn’t want to do is allocate all of their efforts into any one solution before the ICO signs off on it.

Education around cookies 

Future plc’s CRO Zack Sullivan said that while his company has not received any notices from the ICO yet, his team is proactively working with the ICO and trade organizations to act quickly if and when the time comes that they’re forced to add the “reject all” option.

The idea is to avoid the potential revenue hits by finding a solution for this problem before the issue is fully enforced, but also to make sure that the current consent framework within its portfolio of sites is able to be changed on short notice. As part of that preparedness, Sullivan said that his team is repurposing the messaging used about seven years ago to address the growing number of ad blockers that showed up on-sites, which was aimed at educating audiences about how ad blockers negatively impact revenue and a media business’s ability to produce free content.

“The good thing is by getting the wording right, by having a really authentic tone of voice, you do get a lot of user opt in,” said Sullivan.

Rosewell argued that finding middle ground on this issue could be changing the wording of the question and education behind cookie usage in the banner pop-up itself. 

“The consumer has no need to understand how the machine works to be able to use it. The question should really be ‘are you comfortable with personalized advertising or not?’” said Rosewell. Once that question is reframed, he argued that consumers will be able to better understand their choices and how those choices affect the open web, which ultimately makes the question more privacy compliant.

More than giving them the option to reject all cookies, publishers need to be able to educate the users on what it actually means, which is why the “manage” option has been a critical one, according to Terry Hornsby, group digital director of Reach plc, which also did not receive an initial notice from the ICO but is working with the organization on compliance as well.

“The accept and manage solution — yes, it might not be ideal in terms of equal prominence — but if you manage, you can then look in detail at what you’re managing. That’s what the ongoing discussions are. Everybody’s [wondering] how do we still give everybody that information but just in one button?” said Hornsby.

There is a fine line between education and coercion, however, which is why this is not a route Holdaway said her team is pursuing. “It’s really difficult to maintain compliance in that way, because what you can’t do is bundle acceptance and make it conditional with other things … You can’t shame users by saying if you don’t accept them, you can’t do this or you won’t get as good as experienced on the website,” she said.

“The law states that users must be able to reject non-essential advertising cookies as easily as they can accept them. Cookie banners that do not allow this may infringe data protection and privacy laws. We will take enforcement action where necessary to safeguard people from harm,” the spokesperson added. 

Holdaway said that her team is negotiating with the ICO for more time to comply, but given the ongoing discussions around finding a fair and equitable solution, she doesn’t think that there will be a specific date for when the “reject all” button must be in place, such as that original 30-day notice. 

“That all individually depends on the individual website talking to the ICO, but we would hope to be able to develop something if we got some guidance within two or three months,” she said.


More in Media

Teads’ M&A rumors are firming up with a deal to merge with Outbrain

The latest installment of ad tech M&A activity is leaving some industry folks surprised.

Publishers’ Privacy Sandbox pauses settle into a deep freeze following reports of poor performance

Publishers aren’t ready to press play yet on dedicated Privacy Sandbox tests.