UK ICO Publishes New Guidance on the Use of Cookies and Similar Technologies

On 3 July 2019, the UK’s Information Commissioner’s Office (“ICO”) published new guidance on cookies and similar technologies (“Guidance”) in conjunction with a new blog post: “Cookies – what does ‘good’ look like?” which aims to provide “myth-busting” advice on common cookies uncertainties. With its new Guidance, the ICO has formally recognised the stricter standards of consent and transparency now in force under the GDPR.

Whilst the rules on cookies derive from the e-Privacy Directive which is implemented in each EU Member State (for example, in the UK, by the Privacy and Electronic Communications Regulations (PECR)), a number of important related concepts (e.g., consent and transparency) and the collection of personal data by cookies are governed by the GDPR. The Guidance is intended to reflect these developments and interactions, as well as advances in technology, such as “the Internet of Things”, since the ICO’s last guidance was published.

The Guidance comes at a time of increased focus on cookies and related issues. The Dutch DPA has recently published new cookie guidance, and the French CNIL is expected to do the same shortly. In addition, the ICO has updated its own cookie control mechanism on its website to mirror its new guidance to include more information about what cookies are used and an updated consent mechanism for Google Analytics cookies. It appears this may have been partially in response to criticism of the ICO website’s own approach to cookies, after it was reported in June of this year that the ICO admitted its then-current cookies policy was non-compliant.

We highlight a few of the key takeaways from the Guidance here:

  1. Consent for non-essential cookies must comply with GDPR standards, which means it must involve: (i) a clear positive action (continuing to browse the website is not sufficient) and not implied consent; (ii) granularity (the ability to consent to cookies used for some purposes, but not others); and (iii) no pre-ticked boxes or sliders set to ‘on’ (i.e., the default option for non-essential cookies must be off).
  2. The legitimate interest legal ground cannot be used as an alternative for consent to place non-essential cookies on a website, as PECR always requires consent for non-essential cookies such as those used for marketing and advertising. This must be GDPR-standard consent. The Guidance also confirms that it is likely that, for any subsequent processing of personal data collected via cookies, consent will be the most appropriate lawful basis under the GDPR.
  3. The Guidance provides useful examples of the types of cookies requiring consent and those which may benefit from the “strictly necessary” or “communication” exemptions. The “strictly necessary” exemption means that storage of (or access to) information is essential, rather than reasonably necessary. For example, the Guidance is clear that analytics cookies (e.g., to count the number of users on your website) are not strictly necessary and will require consent.
  4. Blanket cookie walls to restrict access to websites until a user consents to the use of cookies are unlikely to represent valid consent. The Guidance confirms that statements such as “by continuing to use this website you are agreeing to cookies” is not considered valid consent under the higher GDPR standard. However, it should be noted that the ICO is still seeking further opinions on this point, recognising that there are practical considerations and differing opinions around the use of partial cookie walls. Therefore, pending further guidance, it may still be possible to condition access to specific services on consent to certain cookies.
  5. Information provided on cookies must align with the GDPR standards for transparency. Cookies policies and banners will need to provide information about the purposes for which cookies are used to the same standard as the GDPR (i.e., concise, transparent, intelligible, and easily accessible form, using clear and plain language). Consent for cookies cannot be buried in terms and conditions and organisations always should be upfront about the use of cookies.
  6. If an organisation’s use of cookies changes significantly, users will need to be made aware of these changes to allow them to make an informed choice about the new activity. Equally, organisations will need to consider “re-consenting” users after an appropriate period of time has passed. However, the ICO does not provide guidance on how to determine such period of time, acknowledging that this will be context specific.

Cookie Audit

To help address the above recommendations, the ICO recommends that organisations conduct a “cookie audit” which will, amongst other checks: (i) confirm the purpose(s) of each cookie; (ii) confirm the type of cookie (session or persistent); (iii) distinguish between those that are strictly necessary and non-essential; (iv) document the findings; and (v) consider follow-up actions whilst building in an appropriate review period. The ICO views this as an opportunity for organisations to ‘clean up’ existing web pages and stop using unnecessary cookies, particularly if the website has evolved since an initial assessment was undertaken.

Enforcement

The Guidance confirms that enforcement action will vary, as expected, depending on the level of privacy intrusion and risk of harm posed by cookies and related technologies (e.g., first party cookies for analytics purposes are typically considered to present a lower risk of harm compared with those used for advertising or behavioural profiling). It is also worth noting that the current enforcement regime for PECR remains as was in effect under the old UK Data Protection Act 1998 (except where personal data is processed, in which case the GDPR enforcement penalties will apply). However, it is expected that this will be brought into line with the GDPR with the introduction of the e-Privacy Regulation, which will replace the e-Privacy Directive when finalised.