- The UK privacy regulator has admitted that its own cookie consent process does not comply with the current GDPR and ePrivacy rules.
- According to the regulator, a new process will be implemented during the week beginning 24th June 2019, which could give organisations a valuable insight into how to navigate the complex interaction between the GDPR and ePrivacy rules in a compliant manner.
- The regulator has also promised detailed guidance on cookies “soon“.
The regulator recently admitted that its current cookies notice fails to “meet the required GDPR standard“. The admission followed complaints that its website automatically places cookies on users’ mobile devices when they access the ICO website which does not comply with the Privacy and Electronic Communications Regulations 2003 (“PECR“).
- Seek the consent of website users or subscribers; and
“… the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user has given his or her consent.”
Since 25 May 2018, the GDPR has also applied to the ePrivacy rules with respect to transparency, meaning the level of information given to individuals about cookies being used. In addition, the stricter GDPR standard of consent now applies to the placement of cookies. Therefore, when organisations now seek consent, the consent obtained must be freely given, specific and informed, and must involve some form of unambiguous positive action.
Can cookie consent be implied?
After the adoption of the cookie consent rules in PECR and prior to implementation of the GDPR in 2018, the market (and indeed the regulators) appeared to reach the conclusion that implied consent was sufficient to satisfy PECR and the then current Data Protection Act 1998.
However, since implementation of the GDPR, many organisations have been confused by the lack of clear guidance on the issue and the example set by the ICO, given that it (currently) provides a cookies banner which refers to an assumption of consent via continued browsing. The ICO also published guidance which provided that there are circumstances where implied cookie consent may still be valid consent, namely when users fully understand that their action of continuing to browse a website will result in specific cookies being set.
Nevertheless, evolving market practice around cookie consents suggests that companies more generally are moving away from these ‘implied consent’ cookie banners. Many are now using banners or notices which require users to actively accept cookies through an opt-in button and allowing users to manage the different types of cookies used through toggle options. The recent admission by the ICO now appears to confirm that implied consent is no longer sufficient.
It has been reported that the ICO plans to upgrade to the latest version of its Civic Cookie Tool, a tool that requires explicit consent by default. A spokesperson for the ICO’s Data Protection Officer has responded to the recent complaints by stating the following:
It will therefore be interesting to see if the ICO plans to lead by example with a GDPR compliant notice. This would be welcome news to those organisations which are wary of undergoing the exercise of changing cookie policies and notices without any clear example of compliance.
There is however a sting in the tail. Organisations should still keep in mind that the European ePrivacy regime is under review and, in January 2017, the European Commission published a new draft ePrivacy Regulation which is intended to replace the current ePrivacy Directive. However, progress has been very slow and it appears unlikely that the new regulation will be adopted before the start of 2020, with a likely two year implementation period before it is enforced.