The ICO has issued its long-awaited updated cookies guidance.
The blog post aims to bust five key myths:
Fact: Implied consent cannot be relied on, because the GDPR standard of consent is much higher than under previous legislation. This means that implied consent is no longer acceptable – whether it is for cookies, or for processing personal data. In practice, this means:
Consent is not required for cookies that are defined as ‘strictly necessary’ – those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential - or that are only essential for the organisation’s own purposes - will still require consent.
Any non-essential cookies, including third party cookies used for the purposes of online advertising or web analytics, require prior consent to the GDPR standard. The guidance explains in more detail how this applies to cookies.
Myth 2: Analytics cookies are strictly necessary so we do not need consent
Fact: While the ICO recognises that analytics can provide useful information, they are not part of the functionality that the user requests when they use an online service – for example, if an organisation did not have analytics running, the user could still be able to access the service. This is why analytics cookies are not strictly necessary and so require consent.
Myth 3: We can use a cookie wall to restrict access to our site until users consent
Fact: Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard. However, the ICO recognises there are some differing opinions as well as practical considerations around the use of partial cookie walls and it will be seeking further submissions and opinions on this point from interested parties.
Myth 4: We can rely on legitimate interests to set cookies, so we do not need consent
Fact: PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.
Myth 5: The ICO wants online services to stop using cookies and similar technologies
Fact: The ICO supports innovation but that cannot always be at the expense of people’s legal rights. Cookies and similar technologies are important in ensuring the smooth running and convenience of much of the digital world. It is simply a matter of using them in a legally compliant way.
Cookie compliance will be an increasing regulatory priority for the ICO in the future but it points out that any future action would be proportionate and risk-based. It advises organisations to start working towards compliance now - undertake a cookie audit and document decisions.