Why has the ICO published new guidance now?
What does the Guidance cover?
What are the key changes from the previous guidance?
Consent for non-essential cookies (e.g. analytics cookies, advertising cookies)
- The Guidance confirms that the GDPR standard of consent applies in relation to cookies. This means that the use of non-essential cookies must be based on freely given, specific, informed and unambiguous consent by the user or subscriber, and must be confirmed by a statement or positive action. Users must therefore take a clear and positive action to consent to non-essential cookies; preticked boxes or their equivalents (such as sliders defaulted to "on") will not be sufficient. However, it remains the position that consent is not required for "strictly necessary" cookies, i.e. cookies which are genuinely essential to provide a service requested by the user.
- Implied consent is no longer acceptable (e.g. consent implied from the continued use of the website).
- "Cookie walls" which block general access to a website if consent is not provided do not constitute valid consent, the reason being that if the user has no choice but to accept cookies, the consent will not be freely given. However, it may sometimes be possible to use a cookie wall in respect of specific website content where the cookies concerned are necessary to provide a particular online service.
- The ICO's position remains that cookie consent should be separate from other matters, and should not be bundled into terms and conditions or into privacy notices.
- "Nudge behaviour" is not acceptable, for example where more prominence is given to "agree"/"accept" over "reject"/"block" (even if a "more information" option is also made available).
- Users should be asked to reconfirm their preferences at regular intervals. Online service providers will need to decide an appropriate interval between when they require users to select their preference (whether that is consent or rejection) also decide when that preference expires (after which the user would need to be given the option again). For example, most websites will record users' decisions to accept or reject non-essential cookies using a separate persistent cookie, which expires after a certain period. If the persistent cookie recording the user's preferences expires before their next visit, the user would then need to re-consent if they visit the website again in the future.
Legal bases for processing personal data
- The ICO clarifies that, to comply with PECR, consent will always be needed for non-essential cookies (such as those used for marketing and advertising). Other legal bases, such as legitimate interest, cannot be relied on to set these cookies.
- Where personal data is involved, it may be possible to rely on a legal basis other than consent (such as legitimate interest) for subsequent processing of that data after the cookies are initially set. However, the ICO considers that consent will often still be the most appropriate legal basis for personal data processing that follows or depends on the setting of cookies. This is particularly likely to be the case if the data is shared with third parties or used for the purposes of profiling and targeted advertising.
- PECR requires organizations to provide "clear and comprehensive information" about the cookies they use. The ICO has clarified that this is closely linked to the GDPR's transparency requirements and means a cookie notice must provide the same kind of information as a privacy notice. In particular, a cookie notice should include details of the cookies used and the purposes for which they will be used.
The new Guidance includes more detail than the previous guidance in relation to third-party cookies. The Guidance clarifies that where a website sets third party cookies, both the website publisher and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent (although the ICO acknowledges that in practice this will be considerably more difficult for the third party, given that they have little direct control over the user interface).
The ICO therefore encourages website publishers and third parties that set cookies to work together. In particular:
- Websites which use third party cookies must clearly and specifically name who the third parties are and explain what they will do with the information (vague references to "partners" or "third parties" should be avoided);
- Third parties wishing to set cookies should include a contractual obligation in their agreements with web publishers, requiring the web publisher to provide users with information about the third party cookies and to obtain valid consent.
- In addition to requesting contractual assurances, third parties setting cookies are also advised to take further steps to ensure any consents they will need to rely on have been validly obtained by the web publisher.
Cookies on third-party websites (e.g. social media platforms)
If an organization has a presence on a social media platform, the organization will also have responsibility (as a joint controller together with the social media platform) with respect to users who visit that organization's pages on the platform. This includes situations where the platform sets cookies on the user's device when they visit the organization's page (for example, to provide the organization with statistical information about how users interact with its social media presence. This remains the case even where the social media platform only provides its customers with anonymized or aggregated information.
Organizations should therefore ensure that their own privacy notices include reference to any social media presence they have, and how users can control the setting of any non-essential cookies when they visit the organisation's social media page. In addition, the organization should include information about its data processing on the social media page itself (for example, by linking back to its main privacy notice).
In addition to the points above, the Guidance also provides clarification on a number of other areas, including cookie audits, extra-territorial applicability of the cookie rules, use of analytics cookies, and the duration of cookies.
The Guidance confirms that the cookie rules will continue to be enforced by the ICO under the PECR regime (where the maximum fine is £500,000) except where personal data is processed - in which case it would also be open to the ICO to use its enhanced powers under the GDPR. The ICO has indicated that it intends to take a risk-based approach and states in the Guidance that it is unlikely to prioritize enforcement action in relation to cookies with a low level of intrusiveness and low risk of harm to individuals, which is of some comfort. However, the ICO also states in the Guidance that it may consider taking action where an organization refuses to take steps to comply, or uses privacy-intrusive cookies without taking adequate steps to provide the requisite information and secure valid consent.
What should you do now?
You may already have updated your cookie banners and consent mechanisms in light of the GDPR. However, the new Guidance provides long-awaited clarity and certainty around the interplay between the GDPR and the PECR cookie requirements, and for some organizations, it is likely more work will need to be done. The ICO has also made it clear that it expects organizations to begin taking steps to comply now.
You should therefore review your current approach to cookies in light of the ICO's Guidance, and consider whether you need to make any changes to bring your practices into line with the ICO's expectations.