• The UK privacy regulator has admitted that its own cookie consent process does not comply with the current GDPR and ePrivacy rules.
  • According to the regulator, a new process will be implemented during the week beginning 24th June 2019, which could give organisations a valuable insight into how to navigate the complex interaction between the GDPR and ePrivacy rules in a compliant manner.
  • The regulator has also promised detailed guidance on cookies “soon“.

Background

Many organisations are currently grappling with the challenge of navigating the legislative regime surrounding the use of cookies on their websites. There still remains a lot of uncertainty around the interaction between the GDPR and ePrivacy rules, and, in particular, there is little guidance on what constitutes a compliant cookies notice from both a GDPR and an ePrivacy perspective. Such organisations may be relieved or disheartened to learn that even the approach used by the Information Commissioner’s Office (“ICO“) (the privacy regulator in the UK) is not compliant at present.

The regulator recently admitted that its current cookies notice fails to “meet the required GDPR standard“. The admission followed complaints that its website automatically places cookies on users’ mobile devices when they access the ICO website which does not comply with the Privacy and Electronic Communications Regulations 2003 (“PECR“).

Legal Requirements

Under PECR, organisations must do the following in order to lawfully use cookies on their websites:

  • Seek the consent of website users or subscribers; and
  • Provide a clear, comprehensive and visible notice on the use of cookies at the time and place where the consent is sought.

The provision which introduced the requirement for consent to the use of cookies in the ePrivacy Directive states that:

“… the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user has given his or her consent.”

Since 25 May 2018, the GDPR has also applied to the ePrivacy rules with respect to transparency, meaning the level of information given to individuals about cookies being used. In addition, the stricter GDPR standard of consent now applies to the placement of cookies. Therefore, when organisations now seek consent, the consent obtained must be freely given, specific and informed, and must involve some form of unambiguous positive action.

Can cookie consent be implied?

After the adoption of the cookie consent rules in PECR and prior to implementation of the GDPR in 2018, the market (and indeed the regulators) appeared to reach the conclusion that implied consent was sufficient to satisfy PECR and the then current Data Protection Act 1998.

However, since implementation of the GDPR, many organisations have been confused by the lack of clear guidance on the issue and the example set by the ICO, given that it (currently) provides a cookies banner which refers to an assumption of consent via continued browsing. The ICO also published guidance which provided that there are circumstances where implied cookie consent may still be valid consent, namely when users fully understand that their action of continuing to browse a website will result in specific cookies being set.

Nevertheless, evolving market practice around cookie consents suggests that companies more generally are moving away from these ‘implied consent’ cookie banners. Many are now using banners or notices which require users to actively accept cookies through an opt-in button and allowing users to manage the different types of cookies used through toggle options. The recent admission by the ICO now appears to confirm that implied consent is no longer sufficient.

Moving forward

It has been reported that the ICO plans to upgrade to the latest version of its Civic Cookie Tool, a tool that requires explicit consent by default. A spokesperson for the ICO’s Data Protection Officer has responded to the recent complaints by stating the following:

I acknowledge that the current cookies consent notice on our website doesn’t meet the required GDPR standard… We are currently in the process of updating this to align our use of cookies to the GDPR standard of consent and we will be making amendments to this information during the week commencing 24 June.”

It will therefore be interesting to see if the ICO plans to lead by example with a GDPR compliant notice. This would be welcome news to those organisations which are wary of undergoing the exercise of changing cookie policies and notices without any clear example of compliance.

There is however a sting in the tail. Organisations should still keep in mind that the European ePrivacy regime is under review and, in January 2017, the European Commission published a new draft ePrivacy Regulation which is intended to replace the current ePrivacy Directive. However, progress has been very slow and it appears unlikely that the new regulation will be adopted before the start of 2020, with a likely two year implementation period before it is enforced.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Christina Quinn

Christina Quinn
Associate, Digital TMT & Data, London
+44 20 7466 6401