- tell people that the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device, unless the cookie is strictly necessary (i.e. essential to provide the service requested by the user, or to comply with law).
The GDPR is, however, still very relevant to cookies, both because the personal data collected by cookies must be processed in accordance with the GDPR and because some of PECR's key concepts, like the standard of consent, come from the GDPR.
The blog concludes by saying “cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all [ICO] powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.”
To date, some organisations have been adopting a ‘wait and see’ approach to cookie compliance – knowing that the PECR rules themselves are currently under review at EU level and that the ICO had not yet fully updated its cookie guidance. However, this clear message from the ICO, together with continuing delays to the PECR reforms, mean that (despite cookie compliance being complex and fact specific) now is the time to act.