Cookies are files of information which a provider of an online service, such as a website operator, can store on a user’s device. On subsequent visits, the website can access information stored in the cookies to tailor the site to that user’s previous preferences – for example, shopping baskets from prior visits may remain filled, or similar goods to those searched last time may be displayed.
The ICO's updated guidance on cookies reflects the stricter data protection standards introduced by the General Data Protection Regulation (“GDPR”). Although cookies are regulated by the Privacy and Electronic Communications Directive (2002/58/EC) (which, in the UK, was implemented by the Privacy and Electronic Communications Regulations (“PECR”)), they are affected by the GDPR as PECR cross-refers to the GDPR – for example, for the definition of consent. Additionally, wherever personal data is processed, the GDPR will also apply.
The new guidance is much more detailed than the previous ICO guidance on cookies and has been updated not only from a legal standpoint, but also a technological standpoint. For organisations looking to overhaul or review their cookie practices, it is well worth a read in full1. We have set out below some of what we consider to be the key points from the guidance.
1. Express consent
The ICO has confirmed the position most organisations have been taking: consent must be to the GDPR standard; that is, it must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or clear affirmative action.
Note that consent is not required for "strictly necessary" cookies (those that are essential to provide the service requested by the user, for example, cookies that remember items a user has placed in their shopping basket).
2. Granularity and withdrawal
Consent must also be granular in that it must allow the user to choose which cookies they wish to consent to; it must not be a blanket consent. Many websites have made use of a user preferences area where users can select which cookies they are happy to consent to and which they are not. Provided this is easily accessible, this also gives users an easy way to withdraw their consent to any cookies for which they have previously provided consent, as required under the GDPR.
PECR requires organisations to give "clear and comprehensive information" about the cookies they propose to set. This is not defined; instead the legislation says that it should be provided in accordance with data protection law. Accordingly, the GDPR transparency principle comes into play. Organisations must clearly inform users about the cookies intended to be used, the purposes for which they intend to use them, and the duration of the cookies in a similar way to how privacy notice information is given.
4. Third party cookies
Organisations must also provide information on, and allow the user to choose whether or not to consent to, any cookies set by third parties, for example, Google Analytics, online advertising networks and social media platforms. This includes clearly and specifically naming the third parties and explaining what they will do with the information. The ICO states that ambiguous or unclear references to "partners" or "third parties" would mean consent is invalid as it is not specific and the user is not fully informed.
The ICO acknowledges that, in practice, it can be challenging to give a user controls over third party cookies as not all consent mechanisms enable users to disable cookies from third parties directly. However, the ICO’s view is that the organisation ultimately determines what cookies are set on its website and should therefore consider whether or not its consent mechanism allows a user to control third party cookies before incorporating such third party cookies.
5. Cookie walls
The ICO makes clear that cookie walls (which require a user to agree to the setting of cookies before they can access the website consent) will not be appropriate in many circumstances, for example, when the user has no genuine choice but to agree. In such a situation, the "consent" would not be freely given and would therefore not meet the GDPR standard.
6. Duration of consent
Fresh consent may not be needed every time a user visits a website, but organisations should consider how often they may need to refresh consent, bearing in mind frequency of visits and updates of content or functionality. For example, if it is intended to set a new cookie, a new consent would be needed as the user has not previously consented to that cookie.
7. Relationship with GDPR lawful bases
The ICO makes clear that where consent is required for such cookies, in practice consent is also the most appropriate lawful basis for processing of personal data under the GDPR. This is because trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would “be an entirely unnecessary exercise, and would cause confusion for your users.”
For cookies that involve processing of personal data, organisations need to make sure that the consents they collect address both the setting of the cookie and the processing of the personal data involved. The ICO’s view is that consent is likely to be the most appropriate lawful basis for any subsequent processing of the personal data collected by cookies, particularly if for the purposes of profiling or targeted advertising.
Enforcement and Sanctions
The enforcement regime under PECR has not changed (except where personal data is processed). The maximum fine that can be levied under PECR is £500,000. However, if the ICO determines that there has also been a breach of the GDPR, it could combine a fine under PECR with a fine under the GDPR (which can be up to the higher of €20million or 4% of an organisation’s worldwide annual turnover).
The ICO had previously stated that cookie compliance was not a priority area for enforcement. That statement is caveated in the new guidance to clarify that it is not a priority area where there is a low level of intrusiveness and low risk of harm to individuals. In deciding on enforcement action, the ICO will take into account whether an organisation has done everything it can to clearly inform users.
Cookies carrying the highest risk of enforcement action are those that are persistent in nature, continue to store data after the user exits the website, and those used for more intrusive purposes, such as targeted advertising campaigns.
One of the ICO’s recommendations is that organisations setting cookies or similar devices should consider undertaking a cookie audit, identifying what cookies are being used and for what purpose, and deleting those that are no longer useful to the business. The remaining useful cookies should then be separated into those that do and do not require consent. Mechanisms to gather consent should be put in place, ensuring that:
- the request for consent is easy to read, in clear language and clearly distinguished from other terms or conditions. It should list the cookies used and explain what data is being collected, by whom and for what purpose;
- the giving of consent is a pro-active step, such as ticking a box or clicking an "accept" button; and
- users must be aware prior to giving consent that revoking consent is just as easy, and will not inhibit the user’s access to the website or the service it provides.
PECR is part of UK law and will continue to be so even after the UK leaves the EU. The GDPR has also been incorporated into UK law and supplemented by the Data Protection Act 2018.
However, a new e-Privacy Regulation is on the horizon (this was supposed to be brought into force at the same time as GDPR but the text is still yet to be finalised) and it is currently estimated that the text might be agreed and adopted in 2019 with it becoming directly applicable to EU member states in 2021. It therefore may not become directly applicable until after the UK leaves the EU. However, it is likely that the UK will revise national legislation to mirror the e-Privacy Regulation.