Understanding The ICO’s 2019 Cookie Guidance

The ICO has published its long-awaited cookie guidance.
The following is a summary of the main points from that guidance.

1. Implied consent is no longer acceptable

The main take-away is that the ICO guidance makes it clear that implied consent for cookies is no longer permitted.

This means that you can no longer rely on a statement in your Cookie Policy or terms and conditions that ‘by continuing to browse your website, the user consents to the use of cookies’ or similar.

The GDPR standard of consent applies in relation to cookies. The GDPR makes it clear that valid consent requires an affirmative action. Merely continuing to browse a website is not considered to be an affirmative action signifying consent.

Instead what you need to do is have an effective cookie consent mechanism that obtains opt-in consent to the use of all non-essential cookies, prior to such cookies being fired.

2. What to do in practice

In a nutshell, what we must do is be transparent and clear about out use of cookies and obtain informed consent to the use of them, prior to them being fired.

i) provide information

When users first land on your site, you must use a cookie consent mechanism that provides information about the cookies you are using.

You should also provide more detailed information about the cookies that you use. You do this via your Cookie Policy (or Privacy Notice) and link to this from within the cookie consent mechanism. You also need to add a link to either the header or footer of your website, so that the link to the Cookie Policy can be accessed from each page of your website.

Rather than just have a link that states “Cookie Policy”, you should make it clearer what this is about by using words such as “Find out more about how our site works and how we put you in control.”

If you use third party cookies (such as Facebook pixels), you must clearly and specifically name the third parties and explain how they will use the information obtained through the cookies.

(ii) obtain opt in consent

Can you still use banners, pop ups, message bars and links on headers to obtain consent or do you have to pay for a consent mechanism tool?

The ICO guidance states that banners, pop-ups etc can still be used, but in order to achieve compliance, these tools must make the position absolutely clear to users.

In addition, you would not be able to have cookies firing on the landing page and if users were able to go to another part of the website where cookies are used without clicking on a consent option, this would not be valid consent, because consent needs to be obtained before the non-essential cookies are fired.

Your chosen cookie consent mechanism must enable users to refuse cookies from third parties (such as Facebook pixels and Google ads pixels). If you do not have a cookie consent mechanism that will enable this, then you shouldn’t use third party cookies.

The ICO’s guidance states that you must not have boxes that emphasise ‘agree’ or ‘allow’ (or presumably ‘accept’) cookies, as opposed to ‘block’ or ‘reject’ cookies, as this influences website users to consent to the use of cookies.

The initial consent mechanism you use when people land on your landing page of your website must allow the user to make a choice about whether to accept the use of cookies or not; merely having a ‘more information’ section where controls are located would not suffice.

You must not use pre-ticked boxes or other default options, such as ‘sliders’ set to ‘on’ for any non-essential cookies (not that analytics cookies are not classed as essential).

You should make sure that either non-essential cookies are not fired until consent is obtained or, if you do not have a tool to do this, to ensure that non-essential cookies are not placed on website landing pages until the browser has provided consent.

3. The inter-relationship of PECR and the GDPR

We must look to PECR before looking at the GDPR in relation to the use of cookies.
This means that if consent is required under PECR (as it is for using non-essential cookies), it will also be required under the GDPR.

However, the guidance states that it may be possible to rely on a different lawful ground of processing for subsequent processing beyond the setting of cookies, but not for the following activities, where consent will always be the appropriate ground of processing:

(i) Analysing or predicting preferences or behaviour or attitudes of individuals where this information subsequently is used to make decisions or take measures related to such individuals.

(ii) Tracking and profiling for direct marketing and advertising

4. ‘Cookie walls’ and blocking content for users not accepting cookies

A full cookie wall, which is where you require consent to the setting of cookies before the user can access any website content, will not be valid consent because this goes against the GDPR requirement of consent being “freely given”.

However, partial cookie walls that restrict access to certain website content if users don’t agree to the use of cookies could be valid. The ICO says that it will be seeking further submissions and opinions on this point from interested parties, so watch this space…

5. Analytics cookies are not exempt

The guidance reminds us that analytics cookies are not exempt from the consent requirement as they are not “strictly necessary” – consent is not required for cookies that are strictly necessary, such as cookies that enable the shopping cart to work smoothly.

You can read the full guidance here.
https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/