You may have read our previous blawg on cookies – however this was pre-GDPR and so is now no longer up-to-date. As the ICO have recently published their updated cookie guidance (and also the cookie pop-ups on their own website), now seemed a good time to update ours!
The starting position, as was generally previously the case, is that you must:
• tell people if you set cookies
• clearly explain what the cookies you use and the purposes you intend to use them for
• obtain their consent.
This applies to cookies and “similar technologies” such as scripts, tracking pixels and plugins. For the purposes of this blawg, we’ll use the term cookies but the requirements apply across the board.
Put simply – the meaning of “consent”.
The definition of consent for cookies (which are covered by the Privacy and Electronic Communications Regulations 2003 or PECR) comes from data protection law – so when the GDPRs came in and tightened up the requirements for consent, this applied to cookies as well.
So what is consent?
The law says that consent must be:
• freely given
• unambiguous indication.
This now requires explicit consent from an individual, i.e. a positive action such as ticking a box.
Previously implied consent may have been suitable, but the ICO have made clear that using a pop-up which states that continued use of your website is “consent” is no longer enough.
So, unless and until you obtain consent you should not set any cookies.
Does this apply to all cookies?
No, but the two exemptions are narrow.
The one which people have previously tried to rely on is the “strictly necessary” exemption. However, this relates to what is strictly necessary from the viewpoint of the individual, rather than your own. So strictly necessary does not cover cookies which bring in revenue for your business, for example advertising cookies.
The ICO gives the following examples of when this may or may not be appropriate:
Activity – Likely to meet the ‘strictly necessary’ exemption? ✓ or x
– A cookie used to remember the goods a user wishes to buy in the checkout area or add goods to their shopping basket – ✓
– Cookies that are essential to comply with the GDPR’s security principle for an activity the user has requested –for example in connection with online banking services – ✓
– Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computers (this is often referred to as ‘load balancing’ or ‘reverse proxying’) – ✓
– Cookies used for analytics purposes, eg to count the number of unique visits to a website – x
– First and third-party advertising cookies (including those used for operational purposes related to third-party advertising, such as click fraud detection, research, product improvement, etc.) – x
– Cookies used to recognise a user when they return to a website so that the greeting they receive can be tailored – x
What does this mean for us?
If your website is already meeting these requirements, then well done!
But unfortunately for many it probably means some work. We would recommend:
• carrying out a cookie audit
• updating your cookie consent mechanism
• carrying out a re-consenting exercise
• ongoing consent – each time you introduce a new cookie, you need to obtain consent for that cookie.
New cookie law is coming?
There was a new cookie law to replace PECR expected to come into force around the same time as the GDPRs. However, a year on and the final text still hasn’t been agreed.
When it does finally come into force, from the guidance currently available, the focus appears to link to the principle under the GDPRs of privacy by default and by design – so shifting some of the responsibility on to web-browsers and software developers to allow users to easily manage their cookie settings, particularly third party cookies.
We will keep an eye out for developments in this new law.
Where can I find more information?
The ICO have updated their cookie guidance which can be found at – https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/
If you use adtech and real time bidding on your site, the ICO has also issued their initial report on this subject, including the issues this creates. Find that here – https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf
Or get in touch if you’ve got an issue you want more help with.