Until now, most websites have been relying on only getting proper visitor consent for the use of tracking and privacy intrusive cookies (which is what the ICO hinted at in their previous guidance and their own cookie approach), meaning that non-essential but useful and non-intrusive cookies, like Google Analytics could be placed without proper consent. But this has now changed with the ICO saying that proper GDPR-compliant consent is now needed for all but essential cookies, including analytics cookies, third-party cookies, etc.
So, what’s changed?
The Privacy and Electronic Communications Regulations (2003) set out the rules for cookies (along with digital marketing compliance rules). Essentially PECR has always said (with some exemptions) that consent is always required for the placing of non-essential cookies. PECR hasn’t changed with the advent of GDPR (it sits alongside the data protection regulation) and so the PECR rules continue to apply as they always have. But there are a couple of parts of PECR that have GDPR implications:
- That the web visitor has “given his or her consent” to the placement of cookies
What does this mean in practice?
- If you’re using any cookies which are deemed essential, i.e. your website can’t run without them (which is likely to be restricted to cookies for maintaining logins to your website or remembering a user session or what’s in an e-commerce basket, etc.), then you can continue to do so without consent but you will need to explain these cookies and what they’re used for
- All other cookies are deemed non-essential and you will therefore need proper GDPR consent before you can use them – so you will need some mechanism (usually via your cookie banner) to allow users to turn on these cookies rather than turn them off; plus you will need to describe these cookies any why/how you use them plus you will need to be able to demonstrate you were given that consent
Whilst you may have some challenges on how to get this consent as part of your banner (it’s not always easy to configure cookie consent banners) on your website, the downside of all this, particularly if you rely on analytics (like Google Analytics) to track hits to your website, understand popular content, how many hits, etc. there’s a good chance you will no longer get an accurate picture of hits to your site as we suspect that most website users will just ignore the banner and not toggle the option to give consent to analytic cookies…
How will this be enforced?
Now this is the confusing bit – the guidance is pretty black and white: you must have GDPR consent for using anything but essential cookies and you can’t place non-essential cookies until you have the consent you need.
However, at the end of the guidance in the “What else do we need to consider?” section it talks about ICO enforcement of these cookie rules and says:
The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. For example, the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action.
The guidance therefore seems to say on the one hand “comply” but on the other “but we probably won’t enforce”.
So, should you comply or not? Could you take the risk your cookie usage will never get reported to the ICO let alone enforced against? That’s only a decision you can take, but in questioning the ICO about this, they told us “Organisations would need to be able to demonstrate any actions they have taken towards meeting the requirement for consent. We accept that these may not always happen overnight, but the legislation has been in place for a while and organisations would need to be able to show what they have done to achieve as much as they can.”
Let us know in the comments below what you think about this change in guidance/rules…
And if you want to know more, sign up to our free webinar (July 19th).
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR