The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance.
The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the General Data Protection Regulation (GDPR) applies to cookies and similar technologies. The new guidance makes it clear that under the GDPR, consents cannot be the default or blind setting, and consents cannot be bundled, as had been the common “wait and see” practice among many online businesses and sites. Organisations subject to the ICO jurisdiction will want to pay immediate attention to this guidance, including some helpful, pragmatic tips.
Neither the PECR nor the ePrivacy Directive define consent. Accordingly, organisations should adopt the definition provided in GDPR Article 4(11) when assessing “consent” to cookies in the UK (as confirmed in Regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).
The ICO Guidance
The updated ICO guidance helps to clarify exactly how companies should apply the robust consent requirements under the GDPR to the collection of cookies.
Prior to the release of the guidance, market practices had been emerging that did not apply the full standard of GDPR consent to cookie setting. Specifically, many cookie banners and notices did not provide for unbundled consents to be given for each cookie placed on a website. The impending change to cookie rules in the form of the new European ePrivacy Directive has meant that many organisations have chosen to adopt a “wait and see” attitude toward regulators’ approach and recommendations before making market-leading changes to operations.
This clarity has now been provided by the UK regulator, with the ICO guidance making it clear that consent to cookies should fulfil all of the GDPR criteria. The guidance assesses whether a variety of mechanisms — such as cookie walls, browser settings, and message boxes — are sufficient for obtaining valid consent. As a general rule, the mechanism must seek clear, unbundled acceptance of the cookie or similar technology. For example, the ICO advises that:
- Website terms and conditions and privacy notices cannot be used for cookie consent, as consent must be separate rather than bundled with other matters.
- Cookie walls that require a user to consent to access the services will be inappropriate, as such consent will not be freely given.
Compliance with the ICO guidance
The ICO guidance also provides some practical steps for complying with the cookie rules:
- For pre-existing services, operators might consider a “cookie audit”, which among other things, should: (i) identify specific cookies and cookie types on the relevant platform; (ii) confirm the cookies’ purpose; and (iii) identify what data each cookie holds or processes.
- Operators should record “cookie audit” results, “clean up” webpages based on the results, and repeat audits at regular intervals.
- Organisations should make users aware of cookies when they first visit the relevant platform and consider obtaining fresh consents following updates to content and functionality and when setting non-essential cookies from a new third party.
The ICO also explores operational considerations, such as record-keeping, refreshing consents, and cookie duration — all of which will be very much welcomed by organisations looking to implement new measures.
What next for cookie consent?
The updated guidance indicates that cookie consent is an area of focus for the ICO. Online service providers should therefore adopt the recommendations. While PECR infringement penalties are considerably lower than penalties under the GDPR (the enforcement regime under PECR remains that which was in effect under the Data Protection Act 1998), compliance remains important. The ICO guidance specifically notes that it “cannot exclude formal action” in this area.
It is important to note that all EU member states have their own implementing legislation for the ePrivacy Directive and the ICO guidance only relates to the UK. Therefore, businesses may want to consider IP-gating websites when applying the ICO recommendations if they do not agree with rolling them out Europe-wide. In our opinion however, the ICO guidance serves as a best practice guide, and we recommend implementing the recommendations broadly, where possible. Other supervisory authorities will likely follow in the ICO’s footsteps with similar guidance.
As next steps, companies should consider cookie audits where necessary, review and update cookie policies, and benchmark consent collection practices against the recommendations in the guidance.