Cookies bite back

Friday 5th July 2019

There has been an important development on cookies for website operators. The key point is – what you currently do is probably wrong. It is no longer acceptable to use non-essential cookies (which includes cookies used for advertising and analytics) without consent. Website users will have to volunteer to accept them, rather than being used as a default.

The ICO has published new guidance on the use of cookies and a blog to dispel some myths around them. If you head over to the ICO’s website, the more eagle-eyed may also notice it has changed the cookie control mechanism on its website. This comes after recently admitting its previous mechanism wasn’t GDPR compliant.

The ICO have addressed the following uncertainties:

Myth 1: You can rely on implied consent for the use of cookies

Incorrect! The GDPR standard of consent is considerably higher than previous law so implied consent is no longer acceptable.  This means:

  • users must take a clear and positive action to consent to non-essential cookies;
  • websites and apps must tell users clearly what cookies will be set and what they do including, any third party cookies;
  • pre-ticked boxes, sliders defaulted to ‘on’ or any equivalents, cannot be used for non-essential cookies;
  • users must have control over any non-essential cookies; and
  • non-essential cookies must not be set on landing pages before you gain the user’s consent.

Consent isn’t required for cookies that are strictly necessary to deliver a service requested by the user.  However any non-essential cookies (those that are simply helpful or convenient and not part of the functionality the user requests), including third party cookies used for the purposes of online advertising or web analytics, require prior consent to the GDPR standard.

Myth 2: Analytics cookies are strictly necessary so you do not need consent

The ICO recognise analytics can provide useful insight, however they are not part of the functionality that the user requests when they use an online service – for example, if you didn’t have Google analytics running, the user could still access your service.

Myth 3: You can use a cookie wall to restrict access to your site until users consent

Using a blanket approach is unlikely to represent valid consent. Statements such as ‘by continuing to use our website you are agreeing to cookies’ is not valid consent under the higher GDPR standard. However, the ICO recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and will be seeking further submissions and opinions on this point.

Myth 4: You can rely on legitimate interests to set cookies, so you do not need consent

The Privacy and Electronic Communications Regulations always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.

Ryan Gracey solicitor and technology law expert said: “Cookie compliance will be an increasing regulatory priority for the ICO in the future. It’s official line is that it supports innovation but that can’t always be at the expense of people’s legal rights. Time will tell how many people give consent for non-essential cookies, but it will undoubtedly restrict the reach of advertisers. The industry must now look at developing an alternative method of getting the information it needs to understand, identify and target consumers