Following its recent admission that its own cookie consent mechanism was non-compliant (see previous blog post here), the UK privacy regulator (the ICO) updated its cookie notice last week (see our previous blog post here) and has now published guidance on cookies and similar technologies. Key messages are:

  • No implied consent for non-essential cookies allowed, including consent obtained via sliders/toggles which are defaulted to ‘on’
  • Analytics cookies are not ‘strictly necessary’ and so require consent
  • The position regarding the use of ‘cookie walls’ to restrict website access remains unclear, although is likely to be inappropriate in many circumstances

Background

The use of cookies on websites is regulated by both the GDPR and the ePrivacy rules in Europe. The GDPR applies its normal rules to cookies where they collect and process personal data, whereas the ePrivacy rules provide that if you use cookies you must: (i) say what cookies will be set; (ii) explain what the cookies will do; and (iii) obtain consent to store cookies on devices. The ePrivacy rules do not contain a definition of consent, meaning that the GDPR standard of consent applies (i.e. consent must be freely given, specific, informed, and involving an unambiguous action by the individual).

The ICO Guidance

The ICO Guidance (available here) has set out how organisations should comply with the rules relating to cookies. In particular:

  • Cookie Information: To comply with the information requirements of the legislation, organisations need to make sure users will see clear information about cookies. This also needs to include information about the purposes and duration of the cookies used. The information needs to be provided in such a way that the user will see it when they first visit the website.
  • Consent: There is no preferred mechanism for obtaining individual consent but organisations need to ensure that any consent mechanism they put in place allows users to have control over all the cookies the website sets, including third party cookies. The guidance places the burden of responsibility on the website owner to consider, before incorporating a third-party cookie, whether its consent mechanism allows the user to control whether the cookie is set or not.
  • Bundled consent: Consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
  • Cookie walls: The Guidance is unclear as to whether cookie walls are acceptable. If use of a cookie wall is intended to require, or influence, users to agree to their personal data being used as a condition of accessing the service, then it is unlikely that the user consent will be considered valid.
  • Non-essential cookies: Enabling a non-essential cookie without the user taking positive action before it is set on their device does not represent valid consent. So-called ‘nudge behaviour’ to influence users in their decision-making is also not acceptable. For example, by emphasising the word “agree” or “accept” over any option to reject or decline. Likewise, a consent mechanism that doesn’t allow a user to make a choice would also be non-compliant, even where the controls are located in a ‘more information’ section (i.e. the user options are ‘agree’ or click for further information).
  • Analytics cookies: Analytics cookies are not ‘strictly necessary’ and so require user consent.
Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378