The ICO recently released new guidance on the use of cookies and similar technologies such as scripts, tracking pixels and plugins. This important guidance may have been missed by those away over the summer when it was issued. The guidance is primarily aimed at online service providers and seeks to provide clarity around how cookies and similar technologies should be used. This e-update set out several key points highlighted in the guidance.
1. You must get clear user consent to store non-essential cookies on their devices
Online service providers must obtain users’ consent for all cookies which are not ‘strictly necessary’. Consent obtained from users must meet the very high standard set out in the GDPR, which means that consent must be (a) express and not implied – i.e. online service providers can no longer rely on statements such as ‘by continuing to use this site you consent to our use of cookies’ or having consent options set by default; and (b) granular - i.e. users must have the option to consent to some non-essential cookies and not others. Online service providers should ensure that:
- Pre-ticked boxes are not used for non-essential cookies
- Non-essential cookies do not appear on landing pages
- If third party cookies are used, the third parties should be specifically named and users should be told what the third parties will do with the information collected
- If users do not agree to any non-essential cookies, they should not be prevented from accessing the website.
2. The types of cookies requiring consent
Cookies may be essential or non-essential to the provision of an online service. The guidance provides indicative examples of activities that would be considered strictly necessary and so would not typically require user consent. These include first-party website access authentication cookies, first-party cookies used for security purposes, session cookies for network management such as load balancing and session cookies designed to remember the contents of an online shopping basket. In contrast, consent will most likely be required for non-essential cookies and similar technologies used for the likes of online advertising, social media plugins, cross-device tracking and analytics.
3. You must be clear about information provided
Online service providers must comply with the standard of transparency as set out in the GDPR, meaning that cookie policies need to be accessible and not tucked away in lengthy terms and conditions. Policies must clearly identify the purposes for which each type of cookie is used in a way which clear, concise and intelligible.
4. Use cookie walls with caution
A cookie wall is a popup on a website designed to inform users about the use of cookies on the website but without giving users an option to reject the use of cookies. The ICO’s guidance makes clear that this ‘take it or leave it’ approach may be inappropriate in some circumstances as consent must be given freely under the GDPR. Consent in relation to cookie walls may not be valid, particularly where the user has no real choice but to accept the terms or where the cookie wall is designed to influence or require users to consent to their personal data being collected as a condition of using an online service. However, the ICO recognises that not all cookie tracking is intrusive or high risk and notes in its guidance that the right to protection of personal information under the GDPR is not absolute and must be balanced against other fundamental rights (including freedom to conduct a business).
5. You must inform users of any significant changes to the use of cookies
In addition to informing users of any significant changes, online service providers must allow users to give their informed consent to the use of any new non-essential cookies being used. Online service providers should also seek fresh consent from users periodically, although the ICO notes that the appropriate time frame is likely to be specific to the particular circumstances around the service and its users.
6. And don’t forget if you fail to comply …
The use of cookies is governed by the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (“PECR”) which sit alongside the Data Protection Act 2018 and the General Data Protection Regulation. Enforcement of the PECR remains as it was under the Data Protection Act 1998, except for personal data related breaches. The ICO is more likely to take formal action the greater the level of intrusiveness and risk of harm to individuals.
Online service providers should seek to ensure their cookie usage complies with the relevant legislation and latest guidance sooner rather than later.