Norton Rose Fulbright - Data Protection Report blog

On 3 July 2019, the ICO published its updated guidance on the use of cookies and similar technologies. This came shortly after it updated the cookie consent collection mechanism on its own website. Much of the guidance is unsurprising and reflects what companies already do in practice. However, other parts of the guidance are likely to require many organisations to make changes to their current cookies practices.

We have set out below the key points to note from the guidance:

1. The consent requirements do not just apply to cookies: It has long been accepted that the so-called “cookie consent rule” applies to tracking technologies other than cookies. Device fingerprinting is now expressly called out as an example of technology that the consent rule may apply to (which is consistent with the views of the Article 29 Working Party in their 2014 guidance on the topic). In addition, the guidance states that the Privacy and Electronic Communications Regulation (PECR)[1] also applies to tracking pixels within emails, although the guidance leaves open the question of when it is best to collect consent for the use of this type of technology (which is more closely linked to a person’s receipt of marketing communications rather than their use of a website or app).

The guidance also clarifies that the rules apply to devices such as mobiles, smart TVs, wearables and “Internet of Things” devices where cookies or similar technologies are used.

2. Long lists with little information are not sufficient to meet the requirement to give “clear and comprehensive information”: Organisations using cookies must make an effort to explain their activities in a way that all people will understand.  In particular, the information provided must cover the cookies the organisation intends to use and the purpose for which they are used. The ICO suggests that, where sites use tens or hundreds of cookies, a description of the types of things that these cookies do alongside the list of cookies is much more likely to satisfy the requirements than simply listing all the cookies used with only a basic reference to their function. This is likely to require many organisations to make changes to their cookies notices.

3. Implied consent cannot be relied on for cookies: The guidance notes that the GDPR standard of consent is higher than under the previous legislation and confirms that implied consent is therefore no longer acceptable. In practice, this means:

  • the user must take a clear and positive action to give their consent to non-essential cookies. Continuing to use the site is not valid consent;
  • the user must be clearly informed about what the cookies are and what they do before they consent;
  • for third party cookies, the third parties must be clearly and specifically named and an explanation of what they will do with the information must be provided;
  • pre-ticked boxes (or “on” sliders) are not permitted;
  • users must be provided with controls over any non-essential cookies and must be given access to the website even if they do not consent (see more on “cookie walls” below); and
  • non-essential cookies must not be placed on the landing page until the user has given their consent.

4. Guidance is given as compliant consent mechanisms: The ICO provides some further guidance on how to ensure a compliant consent mechanism, including:

  • information about the purposes and duration of cookies used must be provided to users when they first visit the relevant services and this is usually done in the consent mechanism itself. This is consistent with the Advocate General’s opinion in the Planet 49 case, although it remains unclear how in practice the duration of cookies can be provided at this level at anything other than a general level, especially where multiple cookies are set;
  • the consent mechanism must give users control over all the cookies set on an organisation’s service and it is not sufficient for the consent mechanism to work for some third parties and not others (where instead a more onerous opt out process must be taken);
  • a consent mechanism should not “nudge” a user to accept cookies;
    Consent requests should not include ambiguous or vague references to “partners” or “third parties” and third parties should be specifically named.  Perhaps unsurprisingly, the guidance does not provide a clear answer on how to collect consent for third party cookies but instead notes that this is “complex” and that they are continuing “to work with industry and other European data protection authorities to assist in addressing the difficulties and finding workable solutions”. However, statements in the guidance suggest that a single “I accept” button for all cookies without details of the third parties this relates to is not acceptable; and
  • cookie walls (i.e. barring access to content or services unless cookies are accepted) are generally prohibited and any use of them must be very limited in scope.

5. Website operators may have responsibility for tracking technology used on third party websites: Most cookies policies include some disclaimer language stating that the relevant website operator is not responsible for the cookies set on third party sites that the website links out to and that the user should review their cookies notices. The ICO, following the rationale in the CJEU judgement of Unabhängiges Landeszentrum für Datenschutz (ULD) Schleswig-Holstein against Wirtschaftsakademie Schleswig-Holstein GmbH, notes that this may not be the case where a company has a presence on a social media platform and gathers statistics from that platform based on user interaction. In this scenario, the organisation and the social media platform are joint controllers and are jointly responsible for obtaining valid consent. The ICO notes that, in practice, this means that organisations’ privacy notices should include references to any social media presence that they may have, and should detail how users are able to control any non-essential cookies once they visit any such social media site, even if this control cannot be covered by the organisation’s own consent mechanism.

6. Enforcement: The ICO wants to ensure that companies comply with the law and have indicated that formal enforcement action may be taken against companies that do not comply. However, in the blog accompanying the updated guidance, the ICO notes that whilst cookie compliance will be “an increasing regulatory priority for the ICO in the future”, any action taken will be “proportionate and risk-based”, suggesting that this is likely to focus on the more privacy-intrusive types of cookies.

Our take

This guidance confirms that many organisations need to revisit their current cookie practices and, in many cases, update their cookie consent collection mechanisms and cookies policies. Organisations should no longer take comfort from the fact that there has been very little enforcement action in this area, as this guidance (alongside recent CJEU and national decisions and guidance coming out of the Dutch, German and French data protection authorities) indicates that this is an area that regulators will increasingly focus on and where ignorance of the legislative requirements will not be tolerated.

[1] The law implementing the ePrivacy Directive in the United Kingdom