1. You must get clear user consent to store non-essential cookies on their devices
- Pre-ticked boxes are not used for non-essential cookies
- Non-essential cookies do not appear on landing pages
- If third party cookies are used, the third parties should be specifically named and users should be told what the third parties will do with the information collected
- If users do not agree to any non-essential cookies, they should not be prevented from accessing the website.
2. The types of cookies requiring consent
Cookies may be essential or non-essential to the provision of an online service. The guidance provides indicative examples of activities that would be considered strictly necessary and so would not typically require user consent. These include first-party website access authentication cookies, first-party cookies used for security purposes, session cookies for network management such as load balancing and session cookies designed to remember the contents of an online shopping basket. In contrast, consent will most likely be required for non-essential cookies and similar technologies used for the likes of online advertising, social media plugins, cross-device tracking and analytics.
3. You must be clear about information provided
Online service providers must comply with the standard of transparency as set out in the GDPR, meaning that cookie policies need to be accessible and not tucked away in lengthy terms and conditions. Policies must clearly identify the purposes for which each type of cookie is used in a way which clear, concise and intelligible.
4. Use cookie walls with caution
In addition to informing users of any significant changes, online service providers must allow users to give their informed consent to the use of any new non-essential cookies being used. Online service providers should also seek fresh consent from users periodically, although the ICO notes that the appropriate time frame is likely to be specific to the particular circumstances around the service and its users.
6. And don’t forget if you fail to comply …
Online service providers should seek to ensure their cookie usage complies with the relevant legislation and latest guidance sooner rather than later.