Digesting the ICO's new cookie guidance - 6 things to note

The ICO recently released new guidance on the use of cookies and similar technologies such as scripts, tracking pixels and plugins. This important guidance may have been missed by those away over the summer when it was issued. The guidance is primarily aimed at online service providers and seeks to provide clarity around how cookies and similar technologies should be used. This e-update set out several key points highlighted in the guidance.


1. You must get clear user consent to store non-essential cookies on their devices

Online service providers must obtain users’ consent for all cookies which are not ‘strictly necessary’. Consent obtained from users must meet the very high standard set out in the GDPR, which means that consent must be (a) express and not implied – i.e. online service providers can no longer rely on statements such as ‘by continuing to use this site you consent to our use of cookies’ or having consent options set by default; and (b) granular - i.e. users must have the option to consent to some non-essential cookies and not others. Online service providers should ensure that:

  • Pre-ticked boxes are not used for non-essential cookies
  • Non-essential cookies do not appear on landing pages
  • If third party cookies are used, the third parties should be specifically named and users should be told what the third parties will do with the information collected
  • If users do not agree to any non-essential cookies, they should not be prevented from accessing the website.


2. The types of cookies requiring consent

Cookies may be essential or non-essential to the provision of an online service. The guidance provides indicative examples of activities that would be considered strictly necessary and so would not typically require user consent. These include first-party website access authentication cookies, first-party cookies used for security purposes, session cookies for network management such as load balancing and session cookies designed to remember the contents of an online shopping basket. In contrast, consent will most likely be required for non-essential cookies and similar technologies used for the likes of online advertising, social media plugins, cross-device tracking and analytics.


3. You must be clear about information provided

Online service providers must comply with the standard of transparency as set out in the GDPR, meaning that cookie policies need to be accessible and not tucked away in lengthy terms and conditions. Policies must clearly identify the purposes for which each type of cookie is used in a way which clear, concise and intelligible.


4. Use cookie walls with caution

A cookie wall is a popup on a website designed to inform users about the use of cookies on the website but without giving users an option to reject the use of cookies. The ICO’s guidance makes clear that this ‘take it or leave it’ approach may be inappropriate in some circumstances as consent must be given freely under the GDPR. Consent in relation to cookie walls may not be valid, particularly where the user has no real choice but to accept the terms or where the cookie wall is designed to influence or require users to consent to their personal data being collected as a condition of using an online service. However, the ICO recognises that not all cookie tracking is intrusive or high risk and notes in its guidance that the right to protection of personal information under the GDPR is not absolute and must be balanced against other fundamental rights (including freedom to conduct a business).


5. You must inform users of any significant changes to the use of cookies

In addition to informing users of any significant changes, online service providers must allow users to give their informed consent to the use of any new non-essential cookies being used. Online service providers should also seek fresh consent from users periodically, although the ICO notes that the appropriate time frame is likely to be specific to the particular circumstances around the service and its users.


6. And don’t forget if you fail to comply …

The use of cookies is governed by the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (“PECR”) which sit alongside the Data Protection Act 2018 and the General Data Protection Regulation. Enforcement of the PECR remains as it was under the Data Protection Act 1998, except for personal data related breaches. The ICO is more likely to take formal action the greater the level of intrusiveness and risk of harm to individuals.

Online service providers should seek to ensure their cookie usage complies with the relevant legislation and latest guidance sooner rather than later.

This article was co-author by Zoe Jarvis.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 23 hours ago
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer https://t.co/z3WEtfFJUo 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… https://t.co/CaitiMeVBs 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… https://t.co/o559McerYg 13/07/2021