An update on post-GDPR cookie compliance

Clarification from the Information Commissioner’s Office (“ICO”)

The ICO have provided guidance in relation to the interplay between Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and the General Data Protection Regulation (“GDPR”) in order to clarify the requirements for the use of cookies following some growing uncertainty surrounding the relationship between the two.

Background

The use of cookies is subject to PECR (which are derived from European law and implement the European Directive 2002/58/EC (“‘e-privacy Directive”)), and the GDPR.  PECR has recently been updated by the Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2019 (“the DPPEC Regulations), which came into effect on 9 January 2019.  The DPPEC Regulations confirm that, as of 29 March 2019, in order to use cookies in the UK organisations must (in most cases) demonstrate that consent has been obtained by the user in accordance with the requirements set out under GDPR. 

Recent ICO guidance seeks to provide greater direction to organisations on the heighted degree of compliance expected when it comes to obtaining cookie consent from individuals.

Stricter requirements for consent

PECR (as updated) requires that an individual’s consent must be obtained to use “non-essential” cookies. There is no definition of consent given in PECR or in the ePrivacy Directive, however the DPPEC Regulations have confirmed that the GDPR standard of consent now applies.  This means that consent must be “a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

The GDPR also specifically bans pre-ticked boxes – silence or inactivity does not constitute consent. Further, implied consent, such as consent inferred by continued use of the website, is no longer acceptable.

Consent is not required for “strictly necessary” cookies.  These are cookies which are genuinely essential to provide a service requested by the user. What is deemed as “essential” is likely to be construed narrowly (for example, it will not include analytics cookies, first or third party advertising cookies, social media plugins or tracking or cross-device tracking cookies).

Steps to take going forward

The ICO have been transparent as to their expectations when it comes to compliance from organisations going forward.

In light of their guidance, a pragmatic approach would be for organisations to undertake a thorough review of their current cookie policy, and to ensure that appropriate banners and consent mechanisms are in place on their website. Below are a few suggestions on the areas that could be re-evaluated in light of the above:

  • Pre-ticked boxes are banned, so default settings should be fixed so that cookies are rejected unless they are subsequently accepted by the user.  ICO guidance specifies that the consent mechanism should not emphasise “agree” or “allow” buttons over those stating “reject” as this could encourage users towards accepting cookies.
  • Specific, transparent and unambiguous information should be provided to individuals about what the cookies do before consent is obtained. Information should include (among other things) the controller’s name, the purposes of the processing, the types of processing activity and the lawful basis for such processing.
  • If any third party cookies are used, the relevant third parties should be identified and information should be provided on how those third parties will use the information collected from their cookies. Fresh consent will need to be obtained each time a new third party cookie is added or if a third party changes the purpose(s) for which cookie information is collected and used.
  • Specific consent will need to be obtained from users for each different type or group of cookies used (such as advertising, analytics etc.).  ICO guidance advises against over-complicating matters and suggests a balance should be achieved between ensuring the requisite level of detail is used whilst maintaining an unambiguous and transparent approach to obtaining consent.
  • Cookie consent should be easily identifiable and distinguishable from other requisite consents (such as general terms and conditions).
  • Individuals must be able to be give consent freely and unconditionally and must also able be able to easily withdraw their consent at any time.

If your organisation requires any assistance with any of the matters arising from this article, please contact a member of our IP and Commercial Team.

Posted on: 29/08/2019

This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.

Back to News articles
Back to News articles

Sign up to email news

Sign up to receive email updates and regular legal news from Rollits LLP.

Sign up