The Information Commissioner’s Office (“ICO”) has recently issued guidance on the use of cookies and similar technologies. That guidance seeks to clarify some of the issues now faced with cookies under the General Data Protection Regulation (“GDPR”) and, in particular, how it interacts with the Privacy and Electronic Communications Regulations (“PECR”). PECR governs the use of cookies for storing information and accessing information stored on a user’s equipment (e.g. a computer or mobile device).

Cookie Law

In short, and irrespective of whether or not the website is processing any personal data, a website is only allowed to set a cookie on a user’s device if it is:

  • strictly necessary; or
  • the user of the website has given its consent.

If personal data is being processed on the website then the normal rules of the GDPR will also apply.

Strictly necessary

A “strictly necessary cookie” has a high threshold and is where a cookie is either (i) necessary for technical purposes to allow a communication to take place; or (ii) to provide a service the user has requested. Common examples of “strictly necessary” cookies are session cookies used to create a shopping basket, or a security cookie for a requested service.

Consent

For all other types of cookies, consent from the user of the website will be required. Critically, the standard of consent must be GDPR consent. This means that the consent must be freely given, specific, unambiguous and given by a clear affirmative action. The consent must also be informed, i.e. the user must be given clear information about how each cookie is used and why (e.g. a cookie policy). The ICO guidance requires that websites obtain consent before placing any cookies on a user’s computer (unless it is “strictly necessary”).

What does this mean in practice?

  • Cookie Walls – the lawful use of cookie walls by websites will be difficult and require careful thought. Blanket approaches, e.g. “by continuing to use this website you are agreeing to cookies” will not be valid as consent must be “freely given.”
  • Analytics Cookies –the use of analytics cookies is not strictly necessary and requires users’ consent.
  • Third Party Cookies – the use of third party cookies will invariably almost always require consent (especially adtech and social media cookies). This raises difficult questions over who is responsible for obtaining the consent (i.e. the website owner or the third party operator) and how it can lawfully be obtained. It also will require third parties to be explicitly named, and an explanation of how the third party uses those cookies will need to be provided to the user. This is a complex area, and further light may be shed on how websites should approach this issue of compliance at the conclusion of the ICO’s investigation into the adtech sector.

Future uncertainty?

Despite the ICO’s recent guidance, organisations should bear in mind that the EU is introducing a new EU Regulation on Privacy and Electronic Communications. This Regulation will almost certainly include new rules on the use of cookies that might well require further amendments to websites (to the extent that Regulation is applicable to the UK after Brexit). No fixed deadline has been provided for when the Regulation will be introduced, but the recent steps taken by the ICO with regards to cookies makes it clear that those organisations that seek to delay compliance will not receive much sympathy from the regulator.

Next steps:

All organisations that rely on cookies should conduct a cookie audit to identify those cookies it currently uses and why. Some cookies may be strictly necessary, whereas it may be possible to remove others altogether (thereby reducing the degree of legal risk). The use of cookies by organisations should be kept under constant review, and we would recommend that all organisations keep a keen eye on the progress of the EU Regulation and the ICO’s investigation into the adtech sector given the potentially far reaching impact they will have on the use of cookies.