First things first, what’s a cookie?
A cookie is not just a delicious treat; in this instance, it’s a small text file left on your computer, tablet, phone or other device when you visit a website. Every time you then revisit that site, it accesses that cookie and recognises you. Session cookies last as long as your browsing session and then are deleted, while persistent cookies remain on your device until their expiry date, which could be years in the future. Websites are allowed to install a cookie on a user’s computer for two reasons. Either they are strictly necessary, meaning they’re used for technical purposes to allow communications to take place or provide a service at the user’s request. Or they require consent, which the user has given after being provided with clear information about the cookie’s purpose.
Cookies are an important technological feature and allow for secure website access and online shopping functionality; however, they can also be used to encroach on users’ privacy.
What laws govern cookie use?
Cookies are primarily regulated by the Privacy and Electronic Communication Regulations (PECR) which lay out the following rules. Website owners, developers and others using cookies and similar technology must:
- tell people that cookies are there;
- give clear information about what the cookies do and why; and
- get the person’s consent to store a cookie on their device – unless the cookie is strictly essential and being used for technical purposes to allow communications to take place, or to provide a service requested by a user.
However, since its introduction, GDPR is also relevant to cookies. The close connection between e-privacy and data protection law means that cookies must be processed in accordance with GDPR and because some of the PECR’s key concepts, such as standard of consent, now come from GDPR. Put basically, if the use of a cookie results in the processing of personal data, the broad principles of GDPR also apply.
What are the key takeaways from the new guidance?
Here are some of the main things to consider:
The new guidance imposes much stricter requirements for obtaining consent, because it must meet the definition under GDPR, which is much higher than under previous legislation. This means:
- no pre-ticked boxes or sliders already set to ‘on’ – the default option must be ‘off’ for all non-essential cookies;
- the user must take a ‘clear and positive action to give their consent to non-essential cookies’ - in other words, the consent given must be informed consent and the user must understand what they are consenting to;
- there can be no granularity - the ability to consent to cookies for some purposes but not others;
- websites must also obtain consent before placing any cookies on the users’ computer (unless the cookies are strictly necessary).
Full cookie walls
Cookie walls, which block access to a site or service unless consent is given to the installation of certain cookies, aren’t allowed and using statements like ‘by continuing to use this website you are agreeing to cookies’ is definitely not allowed. However, the ICO acknowledges that partial cookie walls which restrict access to certain content may be allowed and are seeking further submissions around this from interested parties.
Consent for analytics cookies
Cookies classed as ‘strictly necessary’ are defined as such according to the users’ point of view, not the service provider and so, while analytics provide useful information, they are not essential to the user – if you didn’t have them, then the user would still be able to use your service. Hence why cookies, for the purposes of profiling, behavioural analysis and predicting preferences or behaviour, are not considered strictly necessary and do require consent under GDPR.
If you’re using any third-party cookies, make sure you clearly and specifically name the third parties and explain what they do with the info they are collecting.
Apply PECR rules before applying GDPR
As the PECR provides specific rules around privacy and electronic communication, where these rules apply, they take precedence over GDPR. Therefore, when installing cookies, the ICO suggests you consider PECR compliance first and ensure cookies comply with these requirements before moving on to consider the more general rules of the GDPR.
How should my business respond?
Prior to the publication of the ICO’s new guidance, many organisations had adopted a “wait and see” approach to compliance with cookies, given that the PECR rules were under review at the EU-level and, at that point, the ICO had not yet fully updated its cookie guidance. However, this new update has sent a clear message that, despite the complexity of the issue, businesses need to start taking steps to ensure they comply with the new guidance now. In fact, this is quite literally what the ICO’s Head of Technology Policy wrote in a blog accompanying the new guidance, saying that businesses “should start taking steps to comply now.”
If you need to understand what’s involved in a cookie audit, please contact a member of our Commercial and IT Team for some help.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.