Following its recent admission that its own cookie consent mechanism was non-compliant (see previous blog post here), the UK privacy regulator (the ICO) updated its cookie notice last week (see our previous blog post here) and has now published guidance on cookies and similar technologies. Key messages are:
- No implied consent for non-essential cookies allowed, including consent obtained via sliders/toggles which are defaulted to ‘on’
- Analytics cookies are not ‘strictly necessary’ and so require consent
- The position regarding the use of ‘cookie walls’ to restrict website access remains unclear, although is likely to be inappropriate in many circumstances
The ICO Guidance
The ICO Guidance (available here) has set out how organisations should comply with the rules relating to cookies. In particular:
- Cookie Information: To comply with the information requirements of the legislation, organisations need to make sure users will see clear information about cookies. This also needs to include information about the purposes and duration of the cookies used. The information needs to be provided in such a way that the user will see it when they first visit the website.
- Consent: There is no preferred mechanism for obtaining individual consent but organisations need to ensure that any consent mechanism they put in place allows users to have control over all the cookies the website sets, including third party cookies. The guidance places the burden of responsibility on the website owner to consider, before incorporating a third-party cookie, whether its consent mechanism allows the user to control whether the cookie is set or not.
- Bundled consent: Consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
- Cookie walls: The Guidance is unclear as to whether cookie walls are acceptable. If use of a cookie wall is intended to require, or influence, users to agree to their personal data being used as a condition of accessing the service, then it is unlikely that the user consent will be considered valid.
- Non-essential cookies: Enabling a non-essential cookie without the user taking positive action before it is set on their device does not represent valid consent. So-called ‘nudge behaviour’ to influence users in their decision-making is also not acceptable. For example, by emphasising the word “agree” or “accept” over any option to reject or decline. Likewise, a consent mechanism that doesn’t allow a user to make a choice would also be non-compliant, even where the controls are located in a ‘more information’ section (i.e. the user options are ‘agree’ or click for further information).
- Analytics cookies: Analytics cookies are not ‘strictly necessary’ and so require user consent.