On 3 July 2019, the UK’s Information Commissioner’s Office (“ICO”) published new guidance on cookies and similar technologies (“Guidance”) in conjunction with a new blog post: “Cookies – what does ‘good’ look like?” which aims to provide “myth-busting” advice on common cookies uncertainties. You can find a full copy of the new guidance here. With its new Guidance, the ICO has formally recognised the stricter standards of consent and transparency now in force under the GDPR.
Whilst the rules on cookies derive from the e-Privacy Directive which is implemented in each EU Member State (for example, in the UK, by the Privacy and Electronic Communications Regulations (PECR)), a number of important related concepts (e.g., consent and transparency) and the collection of personal data by cookies are governed by the GDPR. The Guidance is intended to reflect these developments and interactions, as well as advances in technology, such as “the Internet of Things”, since the ICO’s last guidance was published.
The Guidance comes at a time of increased focus on cookies and related issues. The Dutch DPA has recently published new cookie guidance, and the French CNIL is expected to do the same shortly. In addition, the ICO has updated its own cookie control mechanism on its website to mirror its new guidance to include more information about what cookies are used and an updated consent mechanism for Google Analytics cookies. It appears this may have been partially in response to criticism of the ICO website’s own approach to cookies, after it was reported in June of this year that the ICO admitted its then-current cookies policy was non-compliant.
We highlight a few of the key takeaways from the Guidance here:
- Consent for non-essential cookies must comply with GDPR standards, which means it must involve: (i) a clear positive action (continuing to browse the website is not sufficient) and not implied consent; (ii) granularity (the ability to consent to cookies used for some purposes, but not others); and (iii) no pre-ticked boxes or sliders set to ‘on’ (i.e., the default option for non-essential cookies must be off).
- The legitimate interest legal ground cannot be used as an alternative for consent to place non-essential cookies on a website, as PECR always requires consent for non-essential cookies such as those used for marketing and advertising. This must be GDPR-standard consent. The Guidance also confirms that it is likely that, for any subsequent processing of personal data collected via cookies, consent will be the most appropriate lawful basis under the GDPR.
- The Guidance provides useful examples of the types of cookies requiring consent and those which may benefit from the “strictly necessary” or “communication” exemptions. The “strictly necessary” exemption means that storage of (or access to) information is essential, rather than reasonably necessary. For example, the Guidance is clear that analytics cookies (e.g., to count the number of users on your website) are not strictly necessary and will require consent.
To help address the above recommendations, the ICO recommends that organisations conduct a “cookie audit” which will, amongst other checks: (i) confirm the purpose(s) of each cookie; (ii) confirm the type of cookie (session or persistent); (iii) distinguish between those that are strictly necessary and non-essential; (iv) document the findings; and (v) consider follow-up actions whilst building in an appropriate review period. The ICO views this as an opportunity for organisations to ‘clean up’ existing web pages and stop using unnecessary cookies, particularly if the website has evolved since an initial assessment was undertaken.
The Guidance confirms that enforcement action will vary, as expected, depending on the level of privacy intrusion and risk of harm posed by cookies and related technologies (e.g., first party cookies for analytics purposes are typically considered to present a lower risk of harm compared with those used for advertising or behavioural profiling). It is also worth noting that the current enforcement regime for PECR remains as was in effect under the old UK Data Protection Act 1998 (except where personal data is processed, in which case the GDPR enforcement penalties will apply). However, it is expected that this will be brought into line with the GDPR with the introduction of the e-Privacy Regulation, which will replace the e-Privacy Directive when finalised.