UK: ICO publishes significant new guidance on cookies and similar technologies

The Information Commissioner’s Office (“ICO“) has published its eagerly awaited guidance on the use of cookies and similar technologies.  In it, the UK’s data protection authority has formally recognised the stricter standards of consent and transparency required for cookie usage in the world of the GDPR.  Organisations are advised to take prompt action to review their use of web-based technologies and make the necessary remedial changes.

Why new guidance now?

The reason for the new guidance is to align the ICO’s position on cookies with the impact of the General Data Protection Regulation (“GDPR“).  Whilst cookies are primarily regulated in the UK by what is commonly referred to as ‘e-privacy law’ (i.e. the Privacy and Electronic Communication Regulations (“PECR“), implementing Directive 2002/58/EC), and not by the GDPR, e-privacy and data protection law are closely related.  Firstly, important concepts in e-privacy law – such as consent and transparency – must be interpreted in accordance with data protection law.  Secondly, the use of cookies will in many cases involve the processing of personal data, which then implicates the GDPR.

The guidance also arrives at a time of particular focus – at an EU as well as UK level – on  the related issues of cookies, the use of online identifiers, and the adtech industry. The Dutch Data Protection Authority has published new cookie guidance this year, we are awaiting the same this month from the French authority, the ICO has also just published a report on adtech and real time bidding, and in March we had the opinion of Advocate-General Szpunar in the Planet49 case, which focused on cookies.

What has changed?

The most significant changes are to be found in the areas where the GDPR has indirectly imposed higher standards for cookie usage – in particular what constitutes valid consent and transparency.  However, the new cookie guidance is also more detailed than previous guidance issued by the ICO, and there has been a deliberate attempt to update the guidance from a technological as well as from a legal perspective.  For example, the use of cookie-like technologies in Internet of Things devices is covered.

What are the key takeways?

The following is a selection of what we consider to be the most important takeaway messages from the new guidance:

  1. The ICO has confirmed what we already knew – that consent obtained for the purposes of setting cookies must be ‘consent’ as defined by the GDPR. What this means in practice is:
    1. a clear positive action – continuing to browse the website is not valid;
    2. granularity – the ability to consent to cookies used for some purposes, but not others; and
    3. no pre-ticked boxes or sliders set to ‘on’ – the default option for non-essential cookies must be ‘off’.
  2. A strong indication that, if consent is required to set the cookie under PECR, then consent should also be the lawful basis under Art. 6 of the GDPR for the collection of any personal data by the cookie. Obtaining a cookie consent but citing ‘legitimate interests’ as the GDPR basis will in most cases not be possible.
  3. In many cases, consent should also be the GDPR basis for the subsequent processing of personal data after its initial collection by the cookie – particularly if that processing is for the purposes of profiling, behavioural analysis or targeted advertising.
  4. ‘Cookie walls’ (i.e. conditioning access to a site or service on consent to certain cookies) are prohibited if they prevent access to the website in general. However, it may be possible to condition access to specific services on consent to certain cookies.
  5. ‘Settings-led’ or ‘features-led’ consent may be possible – where the choice to use particular settings or features (e.g. choosing local language website version) is integrated with consent to the supporting cookies, provided this is explained clearly.
  6. Subscribers vs. users – in some circumstances, it may be appropriate to accept the cookie preferences of the telecommunications subscriber over those of the user. For example, an employer (the subscriber) mandating particular settings on a work device issued to an employee (the user).
  7. The obligation to provide information about the purposes for which cookies are used must align with GDPR transparency standards (i.e. “concise, transparent, intelligible and easily accessible form, using clear and plain language“).  Many cookie policies and pop-up notices will fail this standard.
  8. Companies setting third party cookies (commonly used for advertising (re)targeting and tracking purposes) must be specifically named.
  9. The exemptions from the requirement for cookie consent under PECR become much more significant, given that they represent a ‘safe harbour’ from these stricter requirements. There is helpful, detailed guidance on the types of cookies which may benefit from the ‘communication’ and ‘strictly necessary’ exemptions.
  10. User preferences have a shelf life – after a period of time website operators should re-consent their users. It is unclear how to determine a reasonable period of time in practice.

How should my business respond?

One of the ICO’s recommendations is to conduct a cookie audit, in order to understand the full range of first and third party cookies which a business is using, and the purposes for which those technologies are being deployed.  This will be a sensible starting point for many organisations.  As part of this audit, a business should carefully delineate between those cookies which will trigger the PECR consent requirement, and those which could defensibly benefit from one of the two categories of exemption.  Thereafter, in the majority of cases it is likely that remedial work will be required to both the consent mechanism itself, as well as to the underlying cookie policy or notice.

The ICO has, unsurprisingly, confirmed that its approach to enforcement will prioritise the use of cookies which are perceived to cause a high level of intrusiveness – for which we can read those that support user tracking, advertising and behavioural profiling, rather than those used for general analytics or to improve the look or feel of a website.

For further information and advice on next steps, please get in touch with your usual DLA Piper contact.

James Clark, DLA Piper UK LLP