Jul 112019

UK ICO Publishes New Guidance on the Use of Cookies and Similar Technologies

Eleanor Dodding, William RM Long and Geraldine Scali
, , , , ,

On 3 July 2019, the UK’s Information Commissioner’s Office (“ICO”) published new guidance on cookies and similar technologies (“Guidance”) in conjunction with a new blog post: “Cookies – what does ‘good’ look like?” which aims to provide “myth-busting” advice on common cookies uncertainties. With its new Guidance, the ICO has formally recognised the stricter standards of consent and transparency now in force under the GDPR.

Whilst the rules on cookies derive from the e-Privacy Directive which is implemented in each EU Member State (for example, in the UK, by the Privacy and Electronic Communications Regulations (PECR)), a number of important related concepts (e.g., consent and transparency) and the collection of personal data by cookies are governed by the GDPR. The Guidance is intended to reflect these developments and interactions, as well as advances in technology, such as “the Internet of Things”, since the ICO’s last guidance was published.

The Guidance comes at a time of increased focus on cookies and related issues. The Dutch DPA has recently published new cookie guidance, and the French CNIL is expected to do the same shortly. In addition, the ICO has updated its own cookie control mechanism on its website to mirror its new guidance to include more information about what cookies are used and an updated consent mechanism for Google Analytics cookies. It appears this may have been partially in response to criticism of the ICO website’s own approach to cookies, after it was reported in June of this year that the ICO admitted its then-current cookies policy was non-compliant.

We highlight a few of the key takeaways from the Guidance here:

  1. Consent for non-essential cookies must comply with GDPR standards, which means it must involve: (i) a clear positive action (continuing to browse the website is not sufficient) and not implied consent; (ii) granularity (the ability to consent to cookies used for some purposes, but not others); and (iii) no pre-ticked boxes or sliders set to ‘on’ (i.e., the default option for non-essential cookies must be off).
  2. The legitimate interest legal ground cannot be used as an alternative for consent to place non-essential cookies on a website, as PECR always requires consent for non-essential cookies such as those used for marketing and advertising. This must be GDPR-standard consent. The Guidance also confirms that it is likely that, for any subsequent processing of personal data collected via cookies, consent will be the most appropriate lawful basis under the GDPR.
  3. The Guidance provides useful examples of the types of cookies requiring consent and those which may benefit from the “strictly necessary” or “communication” exemptions. The “strictly necessary” exemption means that storage of (or access to) information is essential, rather than reasonably necessary. For example, the Guidance is clear that analytics cookies (e.g., to count the number of users on your website) are not strictly necessary and will require consent.
  4. Blanket cookie walls to restrict access to websites until a user consents to the use of cookies are unlikely to represent valid consent. The Guidance confirms that statements such as “by continuing to use this website you are agreeing to cookies” is not considered valid consent under the higher GDPR standard. However, it should be noted that the ICO is still seeking further opinions on this point, recognising that there are practical considerations and differing opinions around the use of partial cookie walls. Therefore, pending further guidance, it may still be possible to condition access to specific services on consent to certain cookies.
  5. Information provided on cookies must align with the GDPR standards for transparency. Cookies policies and banners will need to provide information about the purposes for which cookies are used to the same standard as the GDPR (i.e., concise, transparent, intelligible, and easily accessible form, using clear and plain language). Consent for cookies cannot be buried in terms and conditions and organisations always should be upfront about the use of cookies.
  6. If an organisation’s use of cookies changes significantly, users will need to be made aware of these changes to allow them to make an informed choice about the new activity. Equally, organisations will need to consider “re-consenting” users after an appropriate period of time has passed. However, the ICO does not provide guidance on how to determine such period of time, acknowledging that this will be context specific.

Cookie Audit

To help address the above recommendations, the ICO recommends that organisations conduct a “cookie audit” which will, amongst other checks: (i) confirm the purpose(s) of each cookie; (ii) confirm the type of cookie (session or persistent); (iii) distinguish between those that are strictly necessary and non-essential; (iv) document the findings; and (v) consider follow-up actions whilst building in an appropriate review period. The ICO views this as an opportunity for organisations to ‘clean up’ existing web pages and stop using unnecessary cookies, particularly if the website has evolved since an initial assessment was undertaken.

Enforcement

The Guidance confirms that enforcement action will vary, as expected, depending on the level of privacy intrusion and risk of harm posed by cookies and related technologies (e.g., first party cookies for analytics purposes are typically considered to present a lower risk of harm compared with those used for advertising or behavioural profiling). It is also worth noting that the current enforcement regime for PECR remains as was in effect under the old UK Data Protection Act 1998 (except where personal data is processed, in which case the GDPR enforcement penalties will apply). However, it is expected that this will be brought into line with the GDPR with the introduction of the e-Privacy Regulation, which will replace the e-Privacy Directive when finalised.

Eleanor Dodding

London

edodding@sidley.com

William RM Long

London

wlong@sidley.com

Geraldine Scali

gscali@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.