On 3rd July 2019, the ICO has published new guidance on the use of cookies. This followed shortly after changes to their website cookie compliance mechanism, which the ICO admitted was being updated as it was not GDPR compliant.
The main rules on cookies are set out in the Privacy and Electronic Communications Regulations (PECR). These state that website owners, app developers and others who use cookies and similar technologies must:
- tell people that the cookies are there;
- explain what the cookies are doing and why; and
- get the person’s consent to store a cookie on their device, unless the cookie is strictly necessary (i.e. essential to provide the service requested by the user, or to comply with law).
The GDPR is, however, still very relevant to cookies, both because the personal data collected by cookies must be processed in accordance with the GDPR and because some of PECR's key concepts, like the standard of consent, come from the GDPR.
In a ‘myth busting’ blog post on the new guidance, also published today, the ICO tries to clarify some uncertainty that has developed around the use of cookies since the GDPR has been in force. For example, the blog confirms that neither implied consent nor the legitimate interest condition can be relied on when setting cookies, and that analytics cookies are not strictly necessary. It also reconfirms that using cookie walls to restrict access to a website until users consent, and relying solely on statements such as “by continuing to use this website you are agreeing to cookies” is not valid consent. The guidance itself clarifies this further, confirming that website owners “must provide users with controls over any non-essential cookies, and still allow users access to [their] website if they don’t consent to these cookies” and that non-essential cookies should not be placed on website landing pages.
The blog concludes by saying “cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all [ICO] powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.”
To date, some organisations have been adopting a ‘wait and see’ approach to cookie compliance – knowing that the PECR rules themselves are currently under review at EU level and that the ICO had not yet fully updated its cookie guidance. However, this clear message from the ICO, together with continuing delays to the PECR reforms, mean that (despite cookie compliance being complex and fact specific) now is the time to act.
