Why new guidance now?
The guidance also arrives at a time of particular focus – at an EU as well as UK level – on the related issues of cookies, the use of online identifiers, and the adtech industry. The Dutch Data Protection Authority has published new cookie guidance this year, we are awaiting the same this month from the French authority, the ICO has also just published a report on adtech and real time bidding, and in March we had the opinion of Advocate-General Szpunar in the Planet49 case, which focused on cookies.
What has changed?
The most significant changes are to be found in the areas where the GDPR has indirectly imposed higher standards for cookie usage – in particular what constitutes valid consent and transparency. However, the new cookie guidance is also more detailed than previous guidance issued by the ICO, and there has been a deliberate attempt to update the guidance from a technological as well as from a legal perspective. For example, the use of cookie-like technologies in Internet of Things devices is covered.
What are the key takeways?
The following is a selection of what we consider to be the most important takeaway messages from the new guidance:
- The ICO has confirmed what we already knew – that consent obtained for the purposes of setting cookies must be ‘consent’ as defined by the GDPR. What this means in practice is:
- a clear positive action – continuing to browse the website is not valid;
- granularity – the ability to consent to cookies used for some purposes, but not others; and
- no pre-ticked boxes or sliders set to ‘on’ – the default option for non-essential cookies must be ‘off’.
- A strong indication that, if consent is required to set the cookie under PECR, then consent should also be the lawful basis under Art. 6 of the GDPR for the collection of any personal data by the cookie. Obtaining a cookie consent but citing ‘legitimate interests’ as the GDPR basis will in most cases not be possible.
- In many cases, consent should also be the GDPR basis for the subsequent processing of personal data after its initial collection by the cookie – particularly if that processing is for the purposes of profiling, behavioural analysis or targeted advertising.
- ‘Cookie walls’ (i.e. conditioning access to a site or service on consent to certain cookies) are prohibited if they prevent access to the website in general. However, it may be possible to condition access to specific services on consent to certain cookies.
- ‘Settings-led’ or ‘features-led’ consent may be possible – where the choice to use particular settings or features (e.g. choosing local language website version) is integrated with consent to the supporting cookies, provided this is explained clearly.
- Subscribers vs. users – in some circumstances, it may be appropriate to accept the cookie preferences of the telecommunications subscriber over those of the user. For example, an employer (the subscriber) mandating particular settings on a work device issued to an employee (the user).
- The obligation to provide information about the purposes for which cookies are used must align with GDPR transparency standards (i.e. “concise, transparent, intelligible and easily accessible form, using clear and plain language“). Many cookie policies and pop-up notices will fail this standard.
- Companies setting third party cookies (commonly used for advertising (re)targeting and tracking purposes) must be specifically named.
- The exemptions from the requirement for cookie consent under PECR become much more significant, given that they represent a ‘safe harbour’ from these stricter requirements. There is helpful, detailed guidance on the types of cookies which may benefit from the ‘communication’ and ‘strictly necessary’ exemptions.
- User preferences have a shelf life – after a period of time website operators should re-consent their users. It is unclear how to determine a reasonable period of time in practice.
How should my business respond?