An update on post-GDPR cookie compliance
Clarification from the Information Commissioner's Office ("ICO")
Recent ICO guidance seeks to provide greater direction to organisations on the heighted degree of compliance expected when it comes to obtaining cookie consent from individuals.
Stricter requirements for consent
PECR (as updated) requires that an individual's consent must be obtained to use "non-essential" cookies. There is no definition of consent given in PECR or in the ePrivacy Directive, however the DPPEC Regulations have confirmed that the GDPR standard of consent now applies. This means that consent must be "a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
The GDPR also specifically bans pre-ticked boxes - silence or inactivity does not constitute consent. Further, implied consent, such as consent inferred by continued use of the website, is no longer acceptable.
Consent is not required for "strictly necessary" cookies. These are cookies which are genuinely essential to provide a service requested by the user. What is deemed as "essential" is likely to be construed narrowly (for example, it will not include analytics cookies, first or third party advertising cookies, social media plugins or tracking or cross-device tracking cookies).
Steps to take going forward
The ICO have been transparent as to their expectations when it comes to compliance from organisations going forward.
- Pre-ticked boxes are banned, so default settings should be fixed so that cookies are rejected unless they are subsequently accepted by the user. ICO guidance specifies that the consent mechanism should not emphasise "agree" or "allow" buttons over those stating "reject" as this could encourage users towards accepting cookies.
- Specific, transparent and unambiguous information should be provided to individuals about what the cookies do before consent is obtained. Information should include (among other things) the controller's name, the purposes of the processing, the types of processing activity and the lawful basis for such processing.
- If any third party cookies are used, the relevant third parties should be identified and information should be provided on how those third parties will use the information collected from their cookies. Fresh consent will need to be obtained each time a new third party cookie is added or if a third party changes the purpose(s) for which cookie information is collected and used.
- Specific consent will need to be obtained from users for each different type or group of cookies used (such as advertising, analytics etc.). ICO guidance advises against over-complicating matters and suggests a balance should be achieved between ensuring the requisite level of detail is used whilst maintaining an unambiguous and transparent approach to obtaining consent.
- Cookie consent should be easily identifiable and distinguishable from other requisite consents (such as general terms and conditions).
- Individuals must be able to be give consent freely and unconditionally and must also able be able to easily withdraw their consent at any time.
If your organisation requires any assistance with any of the matters arising from this article, please contact a member of our IP and Commercial Team.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.