Everyone's talking about cookies!
In the last few days cookies have made the headlines several times – with the CNIL announcing that they intend to make online advertising a "top priority" in 2019 (see our blog here) and the ICO releasing first their adtech update report (here) and then, most recently, their updated cookie guidance.
So what are the key takeaways from the ICO's latest cookie guidance
1. Consent is the most "appropriate" lawful basis under the GDPR
Reg. 6 of the UK's Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") requires consent for any cookies which are not "strictly necessary" to provide user-requested services or used for the "sole purpose" of a transmission. However, there has been ongoing confusion whether, if consent is required under PECR, it follows that the lawful basis for processing under Art 6 of the GDPR must also be consent or whether an alternative legal basis, like legitimate interests, may be relied upon.
The ICO has sought to tackle this in its guidance saying, in short, if your cookies require consent under PECR then the ICO considers that the most "appropriate" lawful basis under the GDPR is also consent, discouraging reliance on legitimate interests (the ICO says that reliance on legitimate interests in this context would be "an entirely unnecessary exercise, and would cause confusion for your users").
However, despite this, the ICO does continue to suggest that "where personal data is involved, it may be possible to rely on an alternative lawful basis for subsequent processing beyond the setting of any cookies. However, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing that data with third parties".
In practical terms, this means that if you are the party that enables the setting of cookies on the user's device, you will need consent (both under PECR and the GDPR). However, downstream vendors that receive cookie data for processing, but did not set or access the cookie themselves, can seemingly still potentially avail themselves of reliance on legitimate interests for processing.
2. Analytics cookies are not "strictly necessary"
Analytics cookies provide you with key insights into how users engage and interact with your online content. To your business these analytics may seem "essential" and "necessary", but are they "strictly necessary" for your website to function? The ICO's guidance makes clear that the answer is no.
So, even though analytics cookies may seem "essential" and "necessary" to you for your reporting purposes, you still need consent for them. This isn't new law or guidance (prior European guidance has been saying this for years – e.g. see here), but the ICO Guidance is a helpful reminder about the need for consent for your analytics cookies – and that the concept of "strictly necessary" cookies is a very narrow test!
3. No implied consent
As we know, consent for cookies must be obtained to the standard of the GDPR, and under the GDPR, valid consent requires a "freely given, specific, informed and unambiguous" indication of wishes via a "clear affirmative action". But what does this mean in practice for cookies?
Again, the advice here isn't particularly new but serves as a warning that the implied consent solutions that many websites still rely on in practice won't be acceptable to the ICO in a post-GDPR world.
4. Any consent mechanism you use MUST allow users to control ALL cookies dropped on your website, including third party cookies.
You need to ensure that any consent mechanism you put in place allows users to control ALL cookies. As this includes third party cookies you should consider this before incorporating a third party cookie onto your website – do you have the ability to offer control of those cookies to your users via your own consent mechanism?
The ICO Guidance acknowledges that in practice this can be challenging, with some cookies requiring users to manage their preferences directly with the third party, but goes onto state that although this is the case, "a consent mechanism that works only for some of the cookies would not be compliant".
5. BUT avoid providing a long list of checkboxes
But whilst your consent mechanism must provide for users to control ALL cookies, the ICO Guidance encourages businesses to consider how this is achieved in practice. Long lists of cookies may be necessary to meet the requirements of granularity and transparency (and is the approach of a number of websites currently) but the ICO warns of the risks of such an approach, with users not interacting at all or being unable to understand what they are actually consenting to. In practice, this really is about finding a practical middle ground, perhaps grouping cookies within categories to make it easier for the user to navigate and understand.
6. Relying solely on browser settings is not sufficient
Whilst some users may have selected their preferences within their browser settings, the ICO Guidance reminds businesses that, for consent to be indicated in this way, you would have to evidence that a user has been prompted to consider their browser settings and has indicated a positive action that they are happy with their default preferences, or made changes to such preferences.
Although the ICO Guidance indicates in the future it may be possible for browser settings to be used to indicate consent (depending, for example, on how discussions on the EU's new e-Privacy Regulation develop), it goes onto say that even with improvements to cookie options within browser settings "it is likely not all users will have the most up-to-date browser with the enhanced privacy settings needed to constitute an indication of consent". In other words, avoid relying only on browser settings to indicate consent to cookies – it's unlikely to be sufficiently robust to meet regulatory expectations.
7. Use of a cookie wall for general website access is unlikely to be accepted
A cookie wall requires users to agree or accept cookies before accessing a website. This is sometimes justified on the basis that the recitals to the e-Privacy Directive (specifically Recital 25) indicate that access to "specific website content" may be conditioned on the user's well-informed acceptance of a cookie.
8. Just adding an "I accept" button is not in itself enough to constitute valid consent
As noted at point 3 above, the ICO Guidance makes it clear that "continuing to browse" is not an affirmative action, but it goes even further, stating that even the use of an "I accept" button may not be enough to constitute valid consent. So what does the ICO want to see?
The ICO Guidance says that users must be allowed to make a genuine choice. A cookie banner or mechanism which only has the option to "Accept", or only has the option to "Accept" or select "Further information" (without the ability to "Reject" cookies), is non-compliant. Users are not being given a genuine choice in these scenarios – it is made too difficult for them to reject cookies.
In addition, users shouldn't be "pushed" into clicking "Accept" - banners and mechanisms which emphasise the "Accept" option over the ability to reject the cookies is also considered in the ICO Guidance as non-compliant. So it may be worth taking a look at your current cookie banner and asking whether you are giving equal prominence to accept and reject options.
Overall, while much of the above is not "new" guidance per se, it is a helpful and timely reminder of the ICO's views post-GDPR and can be used to revisit your own organisation's approach to cookie compliance. Looking further afield, with guidance due from the French data protection authority (the CNIL) shortly, ongoing adtech complaints in a number of European territories, and the ePrivacy Regulation slowly making its way through the European legislative process, it's definitely the year of the cookie!
Written by Hannah Wallett