ICO publishes new cookie guidance

What's the issue?

Consent is needed for cookies and similar technologies used by organisations based in the EEA (subject to limited exceptions) under the ePrivacy Directive which is implemented in the UK by the Privacy and Electronic Communications Regulations (PECR). PECR also lays down information requirements around cookies.

In addition, where the cookies relate to personal data processing, the GDPR will apply, not only to organisations based in the EEA, but where non-EEA organisations are processing the data of EEA citizens, targeting goods or services to them, or monitoring their behaviour.

The EU is in the process of updating the ePrivacy Directive but the replacement Regulation is stuck in the legislative process. Perhaps the biggest change to the rules on cookies has already taken place; the definition of 'consent' in PECR has changed to match the definition in the GDPR. This means consent, whether under PECR or the GDPR, must be freely given, informed, specific, and an unambiguous indication of the data subject's wishes.

The new definition of consent has raised compliance issues for many businesses, in particular, those which use cookies for interest-based advertising, tracking and marketing.

What's the development?

The ICO has updated its guidance on cookies and similar technologies, and published a 'myth busting' blog. The guidance does not look ahead to the ePrivacy Regulation.

What does this mean for you?

The guidance stresses the importance of consent, both under PECR and the GDPR in terms of the appropriate lawful basis to use for cookies which involve processing personal data. Many websites will find that they do not comply in light of this guidance and should note the ICO's focus on privacy-intrusive cookies for enforcement purposes.

While the guidance highlights a number of issues with current market practice, it does not always come up with practical compliance suggestions and to some extent leaves questions unanswered. It is, however, essential to carry out an audit in light of this guidance and to make any necessary changes. The ICO's message is: "start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear".

Please contact us for specific advice, and listen to our recent webinar on adtech and cookies, which is available here.

Consent to cookies cannot be implied.
Analytics cookies are not strictly necessary and do require consent under PECR where PECR applies.
You cannot use cookie walls pending consent where consent is required.
If you need consent under PECR you can't rely on legitimate interests for non-essential cookies which involve processing of personal data as a lawful basis under the GDPR; you need to rely on consent.
Cookie compliance will be a priority for the ICO but any action will be proportionate.
Organisations are urged to "start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear".

Guidance – the theory

What do you need to do if you use cookies? Tell users and subscribers what cookies will be set, what they will do, and obtain consent to store cookies on devices (unless they fall within the strictly necessary or communication exemptions).

Clear and comprehensive information – should be provided in accordance with data protection law ie GDPR transparency requirements and right to be informed. Essentially you need to provide the same kind of information to users about cookies as you would when processing their personal data. This has to cover the cookies you intend to use and what you want to use them for. These requirements also apply to third party cookies.

Users must also be made aware of the cookies being placed on their devices and this information as well as the ability for users to refuse cookies must be given in a user friendly manner (as user friendly as possible).

The guidance is not particularly helpful about how to present information, saying long tables or detailed lists of all the cookies on the site "may be the type of information your users will want to consider". It "may also be helpful" to provide a broader explanation, for example, a description of the types of things you use analytics cookies for. "This may be more likely to satisfy the requirements" than simply listing all the cookies used with basic references to their function.

This inconclusive advice highlights the tension between explaining everything to the user (which could involve lists of hundreds of cookies) in order to satisfy the transparency and consent requirements, and presenting information in a manner which will engage the user.

Consent – required for all non-essential cookies (unless the communication exemption applies) whether or not they will process personal data. This is GDPR level consent so it must be freely given, specific, informed, and an unambiguous expression of the data subject's wises. For cookies it means that:

The user must take a clear and positive action to indicate consent to non-essential cookies.
Continuing to use a website does not indicate consent.
Users must be clearly informed about the cookies and what they do before they consent to them being set.
Third parties setting cookies must be specifically named and there must be an explanation of what the third parties will do with the data.
No pre-ticked boxes or equivalents.
Users must be given controls over any non-essential cookies and users must be able to access the website even if they don't consent to those cookies.
Non-essential cookies must not be placed on landing pages or run until the user has given consent.
If an employee uses a device provided by the employer, the employer's wishes will take precedence.

Strictly necessary – this also includes what is required to comply with any other legislation that applies eg security requirements of data protection law. It is good practice to continue to provide clear information about strictly necessary cookies and if personal data is involved, you will also need to comply with the GDPR.

Strictly necessary cookies include shopping basket cookies, cookies required to comply with the GDPR security principle, and cookies to help a page load quickly. It does not include analytics cookies, first and third party advertising cookies, or cookies used to recognise a user when they return to a website.

If a cookie is strictly necessary, you can only use it for the purpose for which it is strictly necessary.

Relationship between cookie rules and the GDPR

PECR takes precedence over the GDPR so you need to look first at PECR, then at the GDPR (and Member State data protection rules). Where the setting of a cookie involves the processing of personal data, you will need to comply with the additional requirements of the GDPR.

PECR applies whether or not storage of or access to information on user devices involves processing personal data.

Online identifiers can also include things like MAC addresses, advertising IDs, pixel tags, account handles, and device fingerprints. When assessing whether an individual is identifiable, remember that the question includes whether or not information can be combined to identify the individual.

Even where cookie rules do not apply, you may need to comply with the GDPR.

Cookie consent and lawful basis – if you need consent under cookie rules, then consent must be your lawful basis to set them where they involve personal data. Where PECR and the GDPR apply, you can only rely on another lawful basis to set the cookie if the cookie meets one of the PECR exemptions (strictly necessary or communications exemption).

It may be possible to rely on another lawful basis where personal data is involved for subsequent processing beyond the setting of the cookie "however, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing data with third parties". Regulators including the ICO have previously stated that "in certain cases, the processing of personal data that follows or depends on the setting of cookies is highly likely to require consent as its lawful basis." This is not only because the personal data originates by the use of the cookies but because of the nature, scope, context and purposes of the processing operations themselves.

Analysing or predicting preferences or behaviour – In accordance with WP29 guidance on purpose limitation (published in 2013) opt-in consent will almost always be required for analysing or predicting the personal preferences, behaviour and attitudes of individual users with this informing measures or decisions taken about them.

The same guidance says that consent should be required for certain purposes including: tracking and profiling for direct marketing, behavioural advertising, data-brokering, location-based advertising or tracking-based digital market research. "This means that in most circumstances, legitimate interests is not considered to be an appropriate lawful basis for the processing of personal data in connection with profiling and targeted advertising", says the cookie guidance.

Guidance – practical advice

Carry out a cookie audit.
Tell people the purposes and duration of the cookies you use. This information must be provided in such a way that the user will see it on first visit, usually within the consent mechanism. Provide a link to more detailed information about cookies in a privacy or cookie policy accessed through a link within the consent mechanism at the top or bottom of the website. Make sure it is sufficiently prominent through formatting, positioning and wording.
If children access your online service, consideration needs to be given to making the information and the consent mechanism appropriate for children – see the ICO's code of practice on age appropriate design. Nudge behaviour cannot be used where an online service is likely to be accessed by a child.
How you request consent will depend on what cookies you are using and the relationship with your users. There are a number of different methods but users must have control over the cookies set, including third party cookies. A consent mechanism which does not allow control over third party cookies or requires the user to visit different websites and take different actions to disable cookies will not be compliant. ‍
Message boxes and pop-ups may be a way to achieve compliance but they must also work on mobile devices or there will not be valid consent. Long lists of checkboxes may help to make the consent mechanism more granular but if users fail to interact, again consent will not be valid. While electronic consent requests are not supposed to be unnecessarily disruptive (Recital 32 GDPR), this does not override the need to get valid consent so some level of disruption may be necessary.
Settings-led consent using preference or user interface cookies should be explained to the user. Agreement can be integrated with the choice the user is making but it is important to ensure that purpose limitation is observed.
Currently, you cannot rely solely on browser settings to obtain consent. This is because not everyone accessing websites will do so with the same type of browser or add-ins. Browser settings may be an appropriate method of gaining consent but only if the user or subscriber is able to indicate their agreement, and it is clear that they have been prompted to consider their current browser settings. Evidence of a positive action would be required.
Cookie consent must be unbundled from terms and conditions.
Cookie walls are inappropriate for general access to a site where cookie consent is needed as consent has to be freely given – not the case where you need to consent in order to access a site. Access to specific website content may be made conditional on acceptance of a cookie if it is used for a legitimate purpose – this covers essential cookies, not third party analytics or online advertising cookies. The key is that individuals are provided with a genuine choice; consent should not be bundled as a condition of the service unless it is necessary for that service.
You cannot pre-enable non-essential cookies.
You must provide clear and comprehensive information and have an appropriate GDPR-compliant consent mechanism.
Where third party cookies are used, both the first party and the third party will be responsible for ensuring cookie rules are complied with, but in practice, it is going to be easier for the first party to control this.
Third parties setting cookies should include relevant contractual obligations in agreements with publishers. They may need to take steps to ensure consents have been validly obtained.
Designers and developers of websites or similar need to ensure the designs allow clients to comply with the law.
You need to ensure proper information is given about third party cookies and relevant consents obtained.
Analytics cookies are not exempt from the consent requirement. If analytics information is passed to a third party, this should be made clear to users along with what the third party will do with the information and users may be offered the ability to limit third party sharing of analytics information. You are unlikely to face enforcement action in relation to first party analytics cookies but this may not be the case if they are provided by a third party.
The following types of cookies are likely to meet a PECR exemption (subject to compliance with purpose limitation): user input, authentication, security, content streaming, network management, user preference. Generally, the exemptions are more likely to apply to session cookies.
The following types of cookies will require consent: social media plugins, social media tracking, online advertising, cross-device tracking, analytics.
You must give users information about their right to withdraw consent and a mechanism by which they can withdraw it which is as easy as the mechanism used to collect consent.
Consent should be obtained from first time visitors and re-consents may be required although not necessarily for each visit.
Careful consideration should be given to the duration of cookies and records should be kept about this.
Use of cookies should be proportionate in relation to intended outcome and limited to what is necessary to achieve your purpose.
If you link to a website or social media platform, you are a joint controller in terms of determining the purpose and means of the processing of any personal data of the user which visits your presence on the platform or website being linked to. This is true even if the network only provides you with anonymised or aggregated statistical information, as in order to generate it, the platform will process personal data.
Cookie rules apply to public authorities.
Cookie rules apply across all devices. If space is limited or non-existent, you may need to consider providing instructions in packaging or during product registration or using a companion mobile app to provide an interface to deliver information and obtain consent.
If you are based in the UK, your website will be subject to PECR even if it is hosted outside the UK. The GDPR has extra-territorial effect, but PECR does not have specific provisions regarding organisations operating outside the EEA. In practical terms, however, many of the information provisions and the requirement to obtain GDPR consent (and use consent as a lawful basis) will apply where the GDPR applies, depending on what the cookie is used for.

Guidance – enforcement

The ICO cannot exclude formal action in any area but it is unlikely that priority will be given to use of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether controllers can demonstrate they have done everything possible to clearly inform users about the cookies in question and provided them with clear details of how to make choices. The ICO is unlikely to prioritise first party cookies used for analytics purposes where there is a low privacy risk, or cookies which support accessibility of sites and services.