ICO: Updated guidance on the use of cookies and similar technologies
17 September 2019
On 3 July 2019 the UK Information Commissioner’s Office (ICO) issued updated guidance on the use of cookies (and similar technologies), in which it has set out its interpretation of the impact of the General Data Protection Regulation (GDPR) on the cookie rules contained in the Privacy and Electronic Communications Regulations (PECR).
In many ways the updated guidance doesn’t tell us much more than we already knew, but it does provide useful confirmation. The guidance is also an indication of where the ICO’s regulatory scrutiny might (and might not) lie and, on this note, it is interesting that the updated guidance coincided with the ICO updating its own cookie control mechanism which didn’t previously meet the standards set out in the updated guidance (after all, those in glass houses shouldn’t throw stones).
It therefore remains to be seen whether the ICO is gearing up to enforce an area of law which to date has not been a priority. Meanwhile here are the headline points.
Key points
1. Implied ‘by continuing to use this website’ consent isn’t valid: as expected, the ICO has confirmed that, where PECR requires consent for the use of cookies, the standard that needs to be met is that set by the GDPR – clear and positive action is required. This also means that pre-ticked boxes or sliders set to ‘on’ by default will not be effective.
2. Analytics and advertising cookies are not exempt: no consent is required for ‘strictly necessary cookies’, but this exemption is interpreted narrowly - analytics cookies are not essential to functionality of the website. However, the ICO has indicated (but not promised) that it will not take action for non-compliance if the particular analytics cookie is not ‘privacy intrusive’ (hint – proceed with caution when using analytics cookies provided by third party tech giants). Likewise, and while it may be obvious to those of us that eat cookies for breakfast, advertising cookies are not ‘necessary’, even if the website operator relies on advertising income to provide its website.
3. Transparency and consent go hand-in-hand: consent will only be valid if it is informed, so make sure to provide users with clear and comprehensive information in an easy to digest (last pun, that’s a promise) format, including naming third parties that set cookies. No matter how sophisticated the opt-in mechanism, consent will not be achieved if this step is missed.
4. Cookie walls are not permitted: can you stop a user from accessing your website if they do not consent to the use of cookies? The GDPR requires that users have ‘genuine choice’, so no is the answer.
5. Email tracking pixels are caught: pixels (and other tech) embedded within emails can tell marketers whether emails have been read and can collect other useful information. The guidance confirms that the usual consent rule is engaged but unfortunately doesn’t offer any practical tips for overcoming this rather tricky hurdle.
6. Consent through browser settings can’t be relied on: the ICO accepts that this might be possible in the future but for now it won’t work because it cannot be assumed that each website visitor can configure their settings, and not everyone will be using the same version or type of browser.
7. Consent doesn’t last forever: how long should cookies last? There’s no one-size-fits all approach but, as always, context is everything. However, as a general principle, the duration needs to be proportionate and the duration should be necessary to achieve the purpose for which the cookie is set.
8. Respect user choice: it’s a point that is sometimes overlooked by tech teams – don’t use non-essential cookies on the website landing page or allow any non-essential technologies to run until after the user has given consent. No matter how compliant the website appears to be, all the good work will be undone if non-essential technologies are used regardless of the user’s choice.
9. Don’t forget the GDPR: Where the use of cookies also involves the processing of personal data, compliance with PECR is only one half of the story – you also need to consider obligations under the GDPR. This includes ensuring that there’s a lawful basis for processing the personal data. For ad tech cookies in particular, there has been some uncertainty as to whether organisations can rely on consent for the initial use of the cookie, but later rely on legitimate interests for the subsequent processing of personal data collected via the cookie. While this approach isn’t prohibited, the updated guidance (and the ICO’s recent report in to the ad tech industry) makes clear that legitimate interests will not be the most appropriate ground in most cases.
Next steps
Check what cookies your websites and other digital properties are using. If they are not ‘essential’, make sure you have a cookie consent mechanism and cookie policy which, taken together, meet the consent and transparency requirements set by the GDPR. If you need any help, please get in touch.