New UK ICO guidance on cookies and similar technologies
04 July 2019
In the run up to GDPR, and since, many companies have adopted enhanced cookie consent tools and a range of third party solutions have emerged to support these efforts. However, there is little consistency in the approaches taken. At one end of the scale, some service providers offer incredibly granular cookie choices, with the ability to turn on and off several dozen cookies, and detailed and quite technical information (often referring out to third party websites). At the other, some websites continue to rely on browser settings or similar approaches to obtain implied consent, and as a means of enabling withdrawal of consent, providing only high level information about the types of cookies used. All of this must be pretty bewildering for users. It is also an unsatisfactory state of affairs for any company considering investing in cookie consent management tools. So, the ICO’s guidance will be welcomed.
• You need to provide information about cookies in such a way that the user will see it when first visiting the service.
• The provider of an online service must specifically identify any third parties whose cookies are set.
• It is good practice also to provide information about essential cookies, even though it is not strictly required. If personal data processing is involved in use of strictly necessary cookies, it will be required under GDPR.
• You should explain the duration for which cookies are used. The cookie duration must be proportionate in relation to your intended outcome and limited to what is necessary to achieve your purpose.
• The GDPR definition of consent applies, which means for cookies that: (i) continuing to browse a website does not constitute valid consent; (ii) clear information must be provided before consent is given; (iii) as noted above, all third parties whose cookies are set must be named; (iv) you cannot use pre-ticked boxes or equivalents (for non-essential cookies); (v) you must provide users with controls (over non-essential cookies) and allow users access if they do not consent to these, i.e. no “cookie walls”; (vi) you must not place non-essential cookies on your landing page, or otherwise have them dropped before the user has given consent.
• Consent must be given by the subscriber (the person who pays the bill for the use of the telecommunications line) or the user. It will depend on the context whether it is appropriate for one or the other, or both, to give consent.
• Consent is not required for essential cookies which are necessary for carrying out communications over a network, or which are “strictly necessary”.
• Strictly necessary cookies are only those which are essential to provide the service requested by the user and has a narrow application, i.e. it should be assessed from the point of view of the user not the service provider. Analytics cookies are never strictly necessary.
• If you rely on the “strictly necessary” exemption because a particular cookie fulfils a particular purpose, such as security, you must ensure that your use is only for that purpose. If you use any information for secondary purposes, the cookie would not be regarded as strictly necessary.
• If you allow third party cookies, you should make sure the consent mechanism used is valid. Ideally you should allow consent for all those cookies to be set directly (rather than directing them to a third party site). The ICO indicates that it is working with industry and other data protection authorities to find workable solutions to this challenge. This is a particular challenge for ad tech, which is recognised in the ICO’s recent report. We covered this in a recent blog.
• You should consider user experience carefully, avoiding long lists of check boxes and disruptive message boxes on mobile devices which are optimised for desktop browsing.
• You cannot rely solely on browser settings as a means of obtaining consent, although it may be valid in some cases. This may be more viable in future.
• You cannot gain consent via terms and conditions.
• Users must be able to withdraw consent and the consequences of doing so must be clearly explained.
• Fresh consent should be sought after a period of time. The right period will be context dependent.
• If you introduce a new cookie, or change the purposes of a cookie already in use after consent has been obtained, then your users will need to be made aware of these changes, in order to allow them to make an informed choice about this new activity.
Other helpful clarifications include the following:
• The rules under PECR do not apply the same way to corporate intranets. However, to the extent personal data is processed, GDPR will.
• The rules are no different where the users are children, but the information provided will need to be appropriate for children.
• The ICO will not provide specific guidance on the e-Privacy Regulation until it is finished.
The ICO concludes by noting that any enforcement action would be in accordance with its Regulatory Action Policy, that it is unlikely priority for any formal action would be given to uses of cookies with a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether an organisation has done all it can to clearly inform uses and to provide them with clear details of how to make choices.