New UK ICO guidance on cookies and similar technologies

Recent changes to the cookie consent tool on www.ico.org.uk were a good sign that updated guidance from the ICO, on the use of cookies and similar technologies, would soon arrive. The ICO duly published its updated guidance on 3 July.

In the run up to GDPR, and since, many companies have adopted enhanced cookie consent tools and a range of third party solutions have emerged to support these efforts. However, there is little consistency in the approaches taken. At one end of the scale, some service providers offer incredibly granular cookie choices, with the ability to turn on and off several dozen cookies, and detailed and quite technical information (often referring out to third party websites). At the other, some websites continue to rely on browser settings or similar approaches to obtain implied consent, and as a means of enabling withdrawal of consent, providing only high level information about the types of cookies used. All of this must be pretty bewildering for users. It is also an unsatisfactory state of affairs for any company considering investing in cookie consent management tools. So, the ICO’s guidance will be welcomed.

The guidance covers not just use of cookies, but also similar technologies, whether used on websites, mobile apps, TVs, wearable technology or other connected devices. Similar technologies include device IDs and other identifiers, scripts and tracking pixels, as well as fingerprinting techniques (which combine a set of information elements in order to identify a device). For readability, the ICO guidance uses the term “cookies” to refer to all of these technologies.

The key requirements for use cookies are that you must: (i) identify what cookies will be used; (ii) explain what they do; and (iii) obtain user consent. The guidance provides helpful detail on what the ICO’s expectations are on each of these points, largely reinforcing and building on prior guidance. I have set out my key takeaways below.

Transparency

• You need to provide information about cookies in such a way that the user will see it when first visiting the service.
• The provider of an online service must specifically identify any third parties whose cookies are set.
• The explanation needs to be “clear and comprehensive”, not one or the other. So, long-tables or detailed lists of all the cookies operating on a service (with reference to what they do) can be included, but users will also need a broader explanation of the way cookies operate and the categories of cookies used. You should provide the more detailed information in a linked cookie policy, with a link which is suitably prominent. You should avoid overly complex and lengthy terminology.
• It is good practice also to provide information about essential cookies, even though it is not strictly required. If personal data processing is involved in use of strictly necessary cookies, it will be required under GDPR.
• You should explain the duration for which cookies are used. The cookie duration must be proportionate in relation to your intended outcome and limited to what is necessary to achieve your purpose.

Consent

• The GDPR definition of consent applies, which means for cookies that: (i) continuing to browse a website does not constitute valid consent; (ii) clear information must be provided before consent is given; (iii) as noted above, all third parties whose cookies are set must be named; (iv) you cannot use pre-ticked boxes or equivalents (for non-essential cookies); (v) you must provide users with controls (over non-essential cookies) and allow users access if they do not consent to these, i.e. no “cookie walls”; (vi) you must not place non-essential cookies on your landing page, or otherwise have them dropped before the user has given consent.
• Consent must be given by the subscriber (the person who pays the bill for the use of the telecommunications line) or the user. It will depend on the context whether it is appropriate for one or the other, or both, to give consent.
• Consent is not required for essential cookies which are necessary for carrying out communications over a network, or which are “strictly necessary”.
• Strictly necessary cookies are only those which are essential to provide the service requested by the user and has a narrow application, i.e. it should be assessed from the point of view of the user not the service provider. Analytics cookies are never strictly necessary.
• If you rely on the “strictly necessary” exemption because a particular cookie fulfils a particular purpose, such as security, you must ensure that your use is only for that purpose. If you use any information for secondary purposes, the cookie would not be regarded as strictly necessary.
• If you allow third party cookies, you should make sure the consent mechanism used is valid. Ideally you should allow consent for all those cookies to be set directly (rather than directing them to a third party site). The ICO indicates that it is working with industry and other data protection authorities to find workable solutions to this challenge. This is a particular challenge for ad tech, which is recognised in the ICO’s recent report. We covered this in a recent blog.
• You should consider user experience carefully, avoiding long lists of check boxes and disruptive message boxes on mobile devices which are optimised for desktop browsing.
• You cannot rely solely on browser settings as a means of obtaining consent, although it may be valid in some cases. This may be more viable in future.
• You cannot gain consent via terms and conditions.
• Users must be able to withdraw consent and the consequences of doing so must be clearly explained.
• Fresh consent should be sought after a period of time. The right period will be context dependent.
• If you introduce a new cookie, or change the purposes of a cookie already in use after consent has been obtained, then your users will need to be made aware of these changes, in order to allow them to make an informed choice about this new activity.

Other helpful clarifications include the following:

• Any person that operates an online service using cookies, or which otherwise sets and uses cookies for their own purposes, will be responsible for complying with PECR.
• The rules under PECR do not apply the same way to corporate intranets. However, to the extent personal data is processed, GDPR will.
• The rules are no different where the users are children, but the information provided will need to be appropriate for children.
• In relation to privacy and electronic communications, PECR takes precedence over the GDPR and the DPA 2018. GDPR applies to processing outside the scope of PECR (i.e. not relating to storing or accessing information on the user device). This means, for example, that consent is required for use of cookies (under PECR) even where a different legal basis (e.g. legitimate interests) can be relied upon subsequently to process cookie data under GDPR.
• It is recommended that where consent is collected for use of cookies that consent is also relied upon as a legal basis under GDPR, to avoid confusing users. The extent to which it is possible to rely on another legal basis will depend on the context, but the ICO indicates that it thinks consent is highly likely to be required as a legal basis in certain cases, providing the examples (previously cited by the EDPB) of analysing or predicting behaviour, and tracking and profiling for direct marketing and advertising.
• The ICO will not provide specific guidance on the e-Privacy Regulation until it is finished.

The ICO concludes by noting that any enforcement action would be in accordance with its Regulatory Action Policy, that it is unlikely priority for any formal action would be given to uses of cookies with a low level of intrusiveness and low risk of harm to individuals.  The ICO will consider whether an organisation has done all it can to clearly inform uses and to provide them with clear details of how to make choices.