In short, the guidance confirms what most data practitioners already knew about cookie requirements and there are few big surprises. However, since many companies have not been complying, steps will need to be taken by huge numbers of sites and services to avoid censure now that the regulator has confirmed what it expects. There is no transition or lead time for compliance. This is in force now.
One reason companies had been reticent in making wholescale changes to their cookie approach following the implementation of the General Data Protection Regulation (GDPR) is that the rules on installing cookies are set out in the separate Privacy and Electronic Communications Regulations (sometimes referred to as PECR or the e-Privacy Regulations). This legislation is in the process of being updated and many had therefore been waiting for this to be finalised before really worrying about taking action. • The ongoing delays here have not been helpful. However, this guidance sends a warning to companies that, just because there may be future changes, this does not mean you do not have to comply with the existing regime and, of course, GDPR.
This guidance comes in the face of other action across Europe. The French data protection regulator is due to publish updated guidance this month and the German and Dutch regulators have also been taking action in this area. It is clear the data protection regulators around Europe have lost patience on this issue and expect to see change.
When is consent needed?
Consent is needed for cookies that are not strictly necessary. This has been the case for many years and so much of the guidance simply confirms and restates this position. The table below summarises when consent is needed and when it isn’t.
As a quick note though, we are referring to “cookies” as a generic term whereas the obligation applies also to similar devices such as beacons and tracking pixels. Nor are the rules only limited to websites – installation on a mobile, smart device including smart TV are also caught.
CONSENT NEEDED |
CONSENT NOT NEEDED |
Third party analytic cookies such as Google Analytics. |
First party unobtrusive analytic cookies. The ICO says that it will take a risk based approach and this is unlikely to be a cause for concern to them. This is welcome clarification. |
Personalisation of sites and services. For example, a cookie that welcomes an individual back to a service by name. |
Essential security cookies. |
Advertising including cookies used for targeted advertising, tracking pixels whether first or third party cookies.
|
Essential ecommerce cookies, for example those that are needed to remember what a shopper has put in their basket.
|
Tracking email interactions (ie who opens a marketing email).This will be a nasty surprise to many companies.
|
Cookies required to make the transmission of a communication possible.One that simply assists transmission will still need consent however.
|
The ICO says that it may be possible for companies to rely on a lawful basis other than consent for further use of cookie data after installation. This is because the e-Privacy rules apply to installation of the cookie whereas GDPR relates to personal data more widely.
|
Load balancing cookies.
|
Cookies used on an intranet.
|
What should consent look like?
This is the part of the guidance that was most hotly awaited and where most change will be needed. Few sites and services currently follow these requirements. Key points to note from the guidance:
- It confirms that cookie consent has to be ‘GDPR’ level consent for the installation of the cookies on the device. This means a freely given, specific, informed and unambiguous indication of wishes by way of a clear affirmative action.
- Silence or inaction or wording (regularly seen in currently in cookie notices) along the lines that “by continuing to use this site” consent is given, is not valid.
- You can’t use default consent settings such pre-ticked boxes or sliders set to on.
- Consent has to be obtained before the cookies are installed.
- The user has to be given clear information about the cookies before consenting to them.
- Users have to have a means to control the cookies – ie to turn them off. Just allowing them the ability to turn them off though (again, a practice regularly seen) is not sufficient.
- Cookie walls (ie which block users from accessing the site or content before they agree to the cookies) are problematic. Consent has to be freely given. The ICO does open the door to acceptable use in very limited circumstances but it is clear this won’t work for advertising or general restrictions to sites and services.
- Consents that ‘nudge’ individuals towards a particular option (for example by emphasising ‘I accept’ over the option to say no) are invalid. The ICO says that users should not be influenced to make a particular choice. Just putting options to say ‘no’ in a ‘more information’ or ‘settings’ section would also be non-compliant.
It is this last bullet point that will be the most problematic for companies. Many expected to need to get an active consent for non-essential cookies but had hoped that a cookie consent could be designed to make it more likely than not that individuals would simply agree. It is poor that such a key point as this is rather hidden away in a section of the guidance about pre-enabling non-essential cookies.
Another disappointing aspect of the guidance in this area is that it doesn’t say anything about the ICO’s expectation around ‘specific’ consent – namely confirmation about whether separate consent is needed for different types of cookie for example one for analytics and a separate one for advertising cookies.
Despite this the guidance contains some useful clarifications and looks set to shake things up. Companies would be wise to consider what action they need to take.
Client Alert 2019-172