Understanding The ICO’s 2019 Cookie Guidance
The ICO has published its long-awaited cookie guidance.
The following is a summary of the main points from that guidance.
1. Implied consent is no longer acceptable
The main take-away is that the ICO guidance makes it clear that implied consent for cookies is no longer permitted.
The GDPR standard of consent applies in relation to cookies. The GDPR makes it clear that valid consent requires an affirmative action. Merely continuing to browse a website is not considered to be an affirmative action signifying consent.
Instead what you need to do is have an effective cookie consent mechanism that obtains opt-in consent to the use of all non-essential cookies, prior to such cookies being fired.
2. What to do in practice
i) provide information
When users first land on your site, you must use a cookie consent mechanism that provides information about the cookies you are using.
If you use third party cookies (such as Facebook pixels), you must clearly and specifically name the third parties and explain how they will use the information obtained through the cookies.
(ii) obtain opt in consent
Can you still use banners, pop ups, message bars and links on headers to obtain consent or do you have to pay for a consent mechanism tool?
The ICO guidance states that banners, pop-ups etc can still be used, but in order to achieve compliance, these tools must make the position absolutely clear to users.
In addition, you would not be able to have cookies firing on the landing page and if users were able to go to another part of the website where cookies are used without clicking on a consent option, this would not be valid consent, because consent needs to be obtained before the non-essential cookies are fired.
You must not use pre-ticked boxes or other default options, such as ‘sliders’ set to ‘on’ for any non-essential cookies (not that analytics cookies are not classed as essential).
You should make sure that either non-essential cookies are not fired until consent is obtained or, if you do not have a tool to do this, to ensure that non-essential cookies are not placed on website landing pages until the browser has provided consent.
3. The inter-relationship of PECR and the GDPR
This means that if consent is required under PECR (as it is for using non-essential cookies), it will also be required under the GDPR.
However, the guidance states that it may be possible to rely on a different lawful ground of processing for subsequent processing beyond the setting of cookies, but not for the following activities, where consent will always be the appropriate ground of processing:
(i) Analysing or predicting preferences or behaviour or attitudes of individuals where this information subsequently is used to make decisions or take measures related to such individuals.
(ii) Tracking and profiling for direct marketing and advertising
4. ‘Cookie walls’ and blocking content for users not accepting cookies
A full cookie wall, which is where you require consent to the setting of cookies before the user can access any website content, will not be valid consent because this goes against the GDPR requirement of consent being “freely given”.
5. Analytics cookies are not exempt
The guidance reminds us that analytics cookies are not exempt from the consent requirement as they are not “strictly necessary” – consent is not required for cookies that are strictly necessary, such as cookies that enable the shopping cart to work smoothly.
You can read the full guidance here.