On 3 July 2019, the UK Information Commissioner’s Office (ICO) published its updated guidance on the rules that apply to the use of cookies and other similar technologies (see Legal update, ICO publishes new cookies guidance). The ICO has also changed the cookie control mechanism on its own website to mirror the changes in the new guidance.
What is the significance of the new cookies guidance?
Since the EU legislators shocked the internet world almost a decade ago by changing the legal requirement for the use of cookies and similar technologies from “notice and opt-out” to “notice and consent”, many businesses have struggled to find a way to balance the expectations of the regulators with the effective functioning of their services without disrupting the experience of those that use them (see Legal update, Government publishes revised E-Privacy Regulations).
On 29 March 2019, the UK rules were updated to confirm that the standard of consent required to set and access cookies is that of the higher standard required by the EU’s General Data Protection Regulation ((EU) 2016/679) (GDPR) (see Legal update, The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) made: Brexit SI).
The ICO’s new cookie consent guidance may help with taking a view on how to address the obligations in practice, but it also contains some robust views that will likely cause those who have taken steps to address the cookies rules already to re-think them.
What are the rules about using cookies and similar technologies?
In the UK, the rules are set out in the Privacy and Electronic Communications (EC Directive) Regulations (SI 2003:2426) (as amended) (PECR), which implemented the ePrivacy Directive (2002/58/EC). Any organisation that uses non-essential cookies must:
- Provide notice that says what cookie or similar technologies will be set.
- Explain what the cookies will do.
- Obtain consent to store cookies on devices.
The rules apply to cookies and any other similar technologies that store or access information on a user’s device. This includes pixels, tags, web beacons, device fingerprinting and JavaScript – including those from other services, such as online advertising networks or social media platforms.
The rules apply to cookies set on computers and mobile devices, as well as other equipment such as wearable technology, smart TVs and connected devices including the internet of things.
What are the key takeaways from the ICO’s new cookies guidance?
Some of the key points to note from the guidance are as follows:
The use of cookie walls as a blanket approach to restrict access to a service until users consent will not comply with the cookie consent requirements. The ICO views this approach as inappropriate if the use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by a business or any third parties as a condition of accessing its service, as a user has no genuine choice but to accept cookies.
Implied consent is also not an option for complying with the cookies rules. Statements such as “by continuing to use this website you are agreeing to cookies”, should not be used as they do not meet the requirements for valid consent required by the EU data privacy rules contained in the GDPR.
As consent must be an informed, unambiguous, clear and positive action, pre-ticked boxes or any equivalents, such as sliders defaulted to “on”, cannot be used for non-essential cookies. Users must have control over any non-essential cookies and they must not be set on landing pages before consent is obtained.
“Bundling” is non-compliant. Obtaining consent to cookies must be separate from terms and conditions or privacy notices (see Legal update, Opinion that cookie consent must be active and separate (Advocate General)).
Using a banner, pop-up or splash page may be a useful way to highlight the use of cookies and to obtain consent, but this kind of approach will not be valid if non-essential cookies are set when a user clicks elsewhere on a page or does not engage with the consent box or the options available. This is because a user is not giving a clear and positive action to consent to cookies as is required by the GDPR (see Standard document, Information about cookies: short-form notice (PECR, GDPR and DPA 2018) (UK)).
Website operators should not pre-enable any non-essential cookies. The ICO’s view is that just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, this is not a valid reason to pre-enable it. Enabling a non-essential cookie without the user taking a positive action before it is set on their device does not represent valid consent. By doing this, the website operator is taking the choice away from the user.
The ICO also views consent mechanisms that emphasise that users should “agree” or “allow” cookies over “reject” or “block” as non-compliant. It calls this “nudge behaviour”, which influences users towards the “accept” option.
Consent mechanisms which incorporate consent controls in a ‘more information’ section rather than as part of the initial banner, pop-up or other solution are also deemed non-compliant on the basis that they do not allow users to make a choice before non-essential cookies are set.
Advertising and analytics cookies do not fall into the category of “strictly necessary” cookies and so they fall within the cookie consent rules. While advertising cookies may be crucial in the eyes of a website or mobile app operator, as they bring in revenue to fund the service, they are not “strictly necessary” from the point of view of the website user and hence, the law.
If a website uses third party cookies, then the parties must work together to ensure notice is provided to users and valid consent is obtained. The ICO recommends that third parties that want to set cookies or that provide a product that requires the setting of cookies should include a contractual obligation in its agreement with website publishers to ensure that the cookie consent requirements are effectively dealt with.
For organisations operating outside the European Economic Area, the ICO confirms that PECR does not specifically apply. However, this does not mean that they are completely off the hook, as to the extent the use of cookies and similar technologies involves the processing of personal data, the GDPR will still apply. So, if a business is based in the USA and offers online services designed for or targeted to the European market, then that business will need to comply with the GDPR’s requirements in respect of the information provided to users, including information about the use of cookies, as well as when, and how, to obtain consent (see Practice note, Overview of GDPR: UK perspective: First data protection principle, Lawfulness, fairness and transparency).
In respect of any personal data processing activities that follow (or depend on) the setting of cookies, the ICO’s view is that such processing is likely to also require consent as the lawful basis for the processing (rather than legitimate interests, for example).
The relationship between PECR and the GDPR is one of the more complex aspects of cookie compliance and the ICO Cookies Guidance includes a helpful flowchart explaining when PECR and the GDPR are relevant. Earlier this year, the European Data Protection Board (EDPB) also published useful information on how the cookie rules relate to the GDPR (see Legal update, EDPB adopts Opinion on the interplay between the ePrivacy Directive and the GDPR).
What does all this mean?
The ICO’s guidance, along with its recent report into adtech and real time bidding are a clear signal that it expects anyone involved in internet tracking to evaluate their approach and change their practices (see Legal updates, ICO blogs on the adtech debate from a data protection perspective and ICO publishes update report into adtech and real time bidding).
The draft ePrivacy Regulation (draft ePR) is a piece of European legislation that is currently under development (see Legislation tracker: draft E-Privacy Regulation). Once it has been finalised, it will replace the ePrivacy Directive, which provides the framework on which the cookie consent rules are based. This means that the cookies rules may well be modernised and updated in the future (see Article, E-Privacy Regulation: developing slowly). However, these reforms are not yet finished and it is unclear what shape the new rules may take. For example, the approach to browser settings to obtain user consent and cookie walls remain contentious issues. Until such time as the draft ePR is adopted, the ICO expects that its guidance will be followed, hopefully making cookie compliance a little more digestible for website operators and users!
For further information see Practice note, Cookies: UK issues and the impact of GDPR and DPA 2018.