The guidance clarifies the interplay between the PECR and GDPR and provides practical steps to achieving cookie compliance.

By Fiona M. Maclean, Laura Holden, and Grace E. Erskine

The UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), published guidance on 3 July 2019 to provide greater clarity to organisations grappling with how the General Data Protection Regulation (GDPR) applies to cookies and similar technologies. The new guidance makes it clear that under the GDPR, consents cannot be the default or blind setting, and consents cannot be bundled, as had been the common “wait and see” practice among many online businesses and sites. Organisations subject to the ICO jurisdiction will want to pay immediate attention to this guidance, including some helpful, pragmatic tips.

The European law on cookies can be found in the European Directive 2002/58/EC (ePrivacy Directive) (as amended by Directive 2009/136/EC), as implemented into UK law by the Privacy and Electronic Communications Regulation 2003 (as amended) (PECR). Regulation 6 PECR constitutes the foundation of the UK rules requiring organisations setting non-essential cookies on websites to provide “clear and comprehensive information” to users and to obtain their consent to the use of cookies. 

Neither the PECR nor the ePrivacy Directive define consent. Accordingly, organisations should adopt the definition provided in GDPR Article 4(11) when assessing “consent” to cookies in the UK (as confirmed in Regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).

The ICO Guidance

The updated ICO guidance helps to clarify exactly how companies should apply the robust consent requirements under the GDPR to the collection of cookies. Coupled with a blog post entitled ‘Cookies – what does ‘good’ look like?’ and the ICO’s own revised cookie banner, the ICO is quite clearly putting a stake in the ground as to its interpretation of best practice in this somewhat murky area of the law.

Prior to the release of the guidance, market practices had been emerging that did not apply the full standard of GDPR consent to cookie setting. Specifically, many cookie banners and notices did not provide for unbundled consents to be given for each category of cookie placed on a website and did not offer users a right to ‘reject all’ on the landing page (favouring, instead, options for the user to ‘accept all’ or ‘learn more/ go to settings’ thus pushing the user through another page if they wanted to reject cookies). The impending change to cookie rules in the form of the new European ePrivacy Directive has meant that many organisations have chosen to adopt a “wait and see” attitude toward regulators’ approach and recommendations before making market-leading changes to operations.

This clarity has now been provided by the UK regulator, with the ICO guidance making it clear that consent to cookies should fulfil all of the GDPR criteria. The guidance assesses whether a variety of mechanisms — such as cookie walls, browser settings, and message boxes — are sufficient for obtaining valid consent. As a general rule, it concludes that companies must ensure that no non-essential cookies are placed on a site’s landing page and the mechanism deployed for collecting  consent must seek clear, unbundled acceptance each category of cookies or similar technology. For example, the ICO advises that:

  • Website terms and conditions and privacy notices cannot be used for cookie consent, as users must be provided with transparent and concise information relating specifically to cookies which is not bundled with information relating to the wider service or processing of other personal data.
  • Cookie walls that require a user to consent to access the services will be inappropriate, as such consent will not be freely given.
  • Relying on default settings (both on the site and in the user’s browser) is not sufficient unless coupled with a clear explanation that such settings require the use of cookies.

Compliance with the ICO guidance

The ICO guidance also provides some practical steps for complying with the cookie rules:

  • When launching a new service, an organisation must detail what cookies it will use and indicate which cookies are strictly necessary to provide service to the user. The operator must also ensure that appropriate contractual arrangements are in place for any third-party use of cookies on the platform.
  • For pre-existing services, operators might consider a “cookie audit”, which among other things, should: (i) identify specific cookies and cookie types on the relevant platform; (ii) confirm the cookies’ purpose; and (iii) identify what data each cookie holds or processes.
  • Operators should record “cookie audit” results, “clean up” webpages based on the results, and repeat audits at regular intervals.
  • Organisations should make users aware of cookies when they first visit the relevant platform and consider obtaining fresh consents following updates to content and functionality and when setting non-essential cookies from a new third party.

The ICO also explores operational considerations, such as record-keeping, refreshing consents, and cookie duration — all of which will be very much welcomed by organisations looking to implement new measures.

What next for cookie consent?

The updated guidance indicates that cookie consent is an area of focus for the ICO. Online service providers should therefore adopt the recommendations. While PECR infringement penalties are considerably lower than penalties under the GDPR (the enforcement regime under PECR remains that which was in effect under the Data Protection Act 1998), compliance remains important. The ICO guidance specifically notes that it “cannot exclude formal action” in this area.

It is important to note that all EU member states have their own implementing legislation for the ePrivacy Directive and the ICO guidance only relates to the UK. Therefore, businesses may want to consider IP-gating websites when applying the ICO recommendations if they do not agree with rolling them out Europe-wide. In our opinion however, the ICO guidance serves as a best practice guide, and we recommend implementing the recommendations broadly, where possible. Other supervisory authorities will likely follow in the ICO’s footsteps with similar guidance.

As next steps, companies should consider cookie audits where necessary, review and update cookie policies, and benchmark consent collection practices against the recommendations in the guidance.