ICO issues long-waited cookies guidance and busts some myths

July 3, 2019

The ICO has updated its cookies guidance as well as publishing a blog post seeking to bust a few myths about cookies.

Since the General Data Protection Regulation came into effect in May 2018, there has been a great deal of interest in how it applies to cookies and similar technologies. The main rules on the use of cookies are provided in the Privacy and Electronic Communications Regulations 2003 SI 2003/2426 (PECR). However, some of PECR’s key concepts now come from the GDPR, such as the standard of consent.

As a result, the ICO has published updated guidance on the use of cookies as well as changing the cookie control mechanism on its own website to mirror the changes in the new guidance. The guidance aims to provides more clarity and certainty about how to use cookies. 

The blog post aims to bust five key myths:

Myth 1: We can rely on implied consent for the use of cookies

Fact: Implied consent cannot be relied on, because the GDPR standard of consent is much higher than under previous legislation. This means that implied consent is no longer acceptable – whether it is for cookies, or for processing personal data. In practice, this means:

  • users must take a clear and positive action to consent to non-essential cookies;
  • websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies;
  • pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies;
  • users must have control over any non-essential cookies; and
  • non-essential cookies must not be set on landing pages before a website/app gains the user’s consent.

Consent is not required for cookies that are defined as ‘strictly necessary’ – those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential – or that are only essential for the organisation’s own purposes – will still require consent.

Any non-essential cookies, including third party cookies used for the purposes of online advertising or web analytics, require prior consent to the GDPR standard. The guidance explains in more detail how this applies to cookies.

Myth 2: Analytics cookies are strictly necessary so we do not need consent

Fact: While the ICO recognises that analytics can provide useful information, they are not part of the functionality that the user requests when they use an online service – for example, if an organisation did not have analytics running, the user could still be able to access the service. This is why analytics cookies are not strictly necessary and so require consent.

Myth 3: We can use a cookie wall to restrict access to our site until users consent

Fact: Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard. However, the ICO recognises there are some differing opinions as well as practical considerations around the use of partial cookie walls and it will be seeking further submissions and opinions on this point from interested parties.

Myth 4: We can rely on legitimate interests to set cookies, so we do not need consent

Fact: PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.

Myth 5: The ICO wants online services to stop using cookies and similar technologies

Fact: The ICO supports innovation but that cannot always be at the expense of people’s legal rights. Cookies and similar technologies are important in ensuring the smooth running and convenience of much of the digital world. It is simply a matter of using them in a legally compliant way.

Cookie compliance will be an increasing regulatory priority for the ICO in the future but it points out that any future action would be proportionate and risk-based. It advises organisations to start working towards compliance now – undertake a cookie audit and document decisions.