The ICO have produced updated guidance on the use of cookies and how GDPR consent fits into the need for cookie consent.
Until now, most websites have been relying on only getting proper visitor consent for the use of tracking and privacy intrusive cookies (which is what the ICO hinted at in their previous guidance and their own cookie approach), meaning that non-essential but useful and non-intrusive cookies, like Google Analytics could be placed without proper consent. But this has now changed with the ICO saying that proper GDPR-compliant consent is now needed for all but essential cookies, including analytics cookies, third-party cookies, etc.
So, what’s changed?
The Privacy and Electronic Communications Regulations (2003) set out the rules for cookies (along with digital marketing compliance rules). Essentially PECR has always said (with some exemptions) that consent is always required for the placing of non-essential cookies. PECR hasn’t changed with the advent of GDPR (it sits alongside the data protection regulation) and so the PECR rules continue to apply as they always have. But there are a couple of parts of PECR that have GDPR implications:
- That web visitors should be provided with “clear and comprehensive information” about the use of cookies
- That the web visitor has “given his or her consent” to the placement of cookies
In both cases what these terms actually mean (regarding information and consent) fall back on what data protection law requires. So, in a pre-GDPR world we needed to tell users that we use cookies and that they can turn them off in their browser if they don’t like it, a kind of soft-consent relying on browser related settings to indicate consent. But of course, consent (in terms of what constitutes valid consent) changed with GDPR. Temporarily, there was an indication that proper GDPR consent was now needed, when the GDPR came in, but this quickly changed, with even the ICO’s website going back to the old-style “we use cookies, press OK to say you accept” approach – the only exception to this rule, was in the ICOs cookie guidance indicating that they’re more likely to take action against those using privacy intrusive cookies without proper consent.
However, today (3rd July) that has all changed, with the new ICO guidance indicating that GDPR consent is now required for all non-essential cookies and you have to be clear and transparent about your use of cookies and why you’re using them and how they will be used (in your privacy notice mainly, but maybe your separate cookie notice).
What does this mean in practice?
Generally speaking:
- If you’re using any cookies which are deemed essential, i.e. your website can’t run without them (which is likely to be restricted to cookies for maintaining logins to your website or remembering a user session or what’s in an e-commerce basket, etc.), then you can continue to do so without consent but you will need to explain these cookies and what they’re used for
- All other cookies are deemed non-essential and you will therefore need proper GDPR consent before you can use them – so you will need some mechanism (usually via your cookie banner) to allow users to turn on these cookies rather than turn them off; plus you will need to describe these cookies any why/how you use them plus you will need to be able to demonstrate you were given that consent
Whilst you may have some challenges on how to get this consent as part of your banner (it’s not always easy to configure cookie consent banners) on your website, the downside of all this, particularly if you rely on analytics (like Google Analytics) to track hits to your website, understand popular content, how many hits, etc. there’s a good chance you will no longer get an accurate picture of hits to your site as we suspect that most website users will just ignore the banner and not toggle the option to give consent to analytic cookies…
How will this be enforced?
Now this is the confusing bit – the guidance is pretty black and white: you must have GDPR consent for using anything but essential cookies and you can’t place non-essential cookies until you have the consent you need.
However, at the end of the guidance in the “What else do we need to consider?” section it talks about ICO enforcement of these cookie rules and says:
The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether you can demonstrate that you have done everything you can to clearly inform users about the cookies in question and to provide them with clear details of how to make choices. For example, the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action.
The guidance therefore seems to say on the one hand “comply” but on the other “but we probably won’t enforce”.
So, should you comply or not? Could you take the risk your cookie usage will never get reported to the ICO let alone enforced against? That’s only a decision you can take, but in questioning the ICO about this, they told us “Organisations would need to be able to demonstrate any actions they have taken towards meeting the requirement for consent. We accept that these may not always happen overnight, but the legislation has been in place for a while and organisations would need to be able to show what they have done to achieve as much as they can.”
Let us know in the comments below what you think about this change in guidance/rules…
And if you want to know more, sign up to our free webinar (July 19th).
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR
