ICO updated cookie guidance following GDPR

“a user must take a clear and positive action to give their consent to the use of non-essential cookies”

On 3 July 2019, the Information Commissioner’s Office (“ICO”) updated it’s guidance on the use of cookies. The guidance has been updated to align the ICO’s position on cookies with the impact of the General Data Protection Regulations (“GDPR”) which came into force in May last year.

Cookies are small files which are stored on a user’s computer. They are designed to hold data specific to a particular user and website. Cookies allow servers to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website (or related site) to the next.

The use of cookies is primarily regulated in the United Kingdom by the Privacy and Electronic Communications Regulations, commonly referred to as PECR, but the changes to data protection legislation last year has had an impact on the use of cookies imposing high standards for cookie use.

The guidance covers not just the use of cookies, but also similar technologies, whether used in connection with websites, mobile applications, wearable technology, TV’s or other connected devices.

What do you need to know?

1. The consent required for the purposes of setting a cookie must be “consent” as defined by the GDPR. This means that “a user must take a clear and positive action to give their consent to the use of non-essential cookies”. It is important to note that where consent is required under PECR, one of the lawful bases from the GDPR cannot be used as an alternative.
2. The continuing use of a website by a user does not constitute valid consent. Users must take a clear and positive action to consent to non-essential cookies and fresh consent may need to be sought.
3. Clear information about the use of the cookies must be provided to a user before consent is given. You cannot gain consent via terms and conditions; any consent that is bundled into a set of terms and conditions will not be compliant.
4. If at anytime you introduce a new cookie or change the purpose of a cookie, you will need to provide users with details of the change so they can make an informed choice about the use of this new or updated cookie.
5. Pre-ticked boxes or equivalent cannot be used to obtain consent.
6. When using third party cookies, the name of the third party must be provided and an explanation of what they will do with the information collected will need to be provided. If these cookies are non-essential cookies consent will need to be obtained.
7. The use of a full cookie wall i.e. requiring users to ‘agree’ or ‘accept’ the setting of cookies before they can access any online content – is unlikely to represent valid consent on the basis that GDPR requires that consent be “freely given”. This means that non-essential cookies must not be used on a landing page, or otherwise dropped before a user has provided consent.
8. Any use of any non-essential cookies, including third party cookies used for the purposes of online advertising or web analytics will require prior consent before they can be used.

Non-essential cookies are anything other than those that are strictly necessary to provide a service over the internet which has been requested by the subscriber or user. This is strictly necessary from the users’ perspective. The use of the cookie must be essential to fulfil their request i.e. without it the user would be unable to undertake certain activities. Cookies that are helpful or convenient but not essential will still require consent.

The rules that apply to cookies are no different if children access your online service. You will need to provide clear and comprehensive information about your use of cookies and ensure that you have consent for any that are not strictly necessary. You will need to ensure that both the information provided and the consent mechanisms are appropriate for children.

What do you need to do?

The ICO recommends that all businesses conduct a cookie audit, in order to fully understand the cookies that are being used and the reasons why. You need to identify not only your own cookies but also any third party cookies which are being used and then categorise these into essential and non-essential cookies. This audit will allow you to identify which cookies will trigger the PECR consent so you can determine what consent mechanism you need to implement.

It is likely that following an audit many businesses will need to review their current consent mechanisms as well as any cookie policies or notices currently used.

The ICO has confirmed that any enforcement action it takes will be proportionate and risk-based. It is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to users. The ICO will look to see if you can demonstrate that you have done everything you can to clearly inform users about cookies and provided the with clear details of how to make choices about the use of such cookies.