Cookie consent – what “good” compliance looks like according to the ICO

Since the EU legislators shocked the internet world a decade ago by changing the legal requirement for the use of cookies and similar technologies from “notice and opt-out” to “notice and consent”, many businesses have struggled to find a way to balance the expectations of the regulators with the effective functioning of their services without disrupting the experience of those that use them.  The ICO’s new cookie consent guidance may help with taking a view on how to address the obligations in practice, but it also contains some robust views which will likely cause those who have taken steps to address the cookies rules already to re-think them.

Some of the key points to note from the guidance are as follows:

• The use of cookie walls as a blanket approach to restrict access to a service until users consent will not comply with the cookie consent requirements.  The ICO views this approach as inappropriate if the use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by a business or any third parties as a condition of accessing its service, as a user has no genuine choice but to accept cookies.
• Implied consent is also no-go.  Statements such as ‘by continuing to use this website you are agreeing to cookies’  should not be used as they do not meet the requirements for valid consent required by the GDPR.  Pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies. Users must have control over any non-essential cookies and they must not be set on landing pages before consent is obtained.
• Using a banner, pop-up or splash page may be a useful way of highlight the use of cookies and to obtain consent, but this kind of approach will not be valid if non-essential cookies are set when if a user clicks elsewhere on a page or does not engage with the consent box or the options available.  This is because a user is not giving a clear and positive action to consent to cookies as is required by the GDPR.
• Website operators should not pre-enable any non-essential cookies.  The ICO’s view is that just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, this is not a valid reason to pre-enable it. Enabling a non-essential cookie without the user taking a positive action before it is set on their device does not represent valid consent. By doing this, the website operator is taking the choice away from the user.
• The ICO also views consent mechanisms that emphasise that users should ‘agree’ or ‘allow’ cookies over ‘reject’ or ‘block’ as non-compliant.  It calls this ‘nudge behaviour’ which influences users towards the ‘accept’ option.
• Consent mechanisms which incorporate consent controls in a ‘more information’ section rather than as part of the initial banner / pop out or other solution are also deemed non-compliant on the basis that they do not allow users to make a choice before non-essential cookies are set.
• Advertising and analytics cookies are not ‘strictly necessary’ and so do not fall outside the cookie consent rules.  While advertising cookies may be crucial in the eyes of a website or mobile app operator as they bring in revenue to fund the service, they are not ‘strictly necessary’ from the point of view of the website user and hence, the law.
• If a website uses third party cookies, then the parties must work together to ensure notice is provided and valid consent is obtained.  The ICO recommends that third parties that want to set cookies or that provide a product that requires the setting of cookies should include a contractual obligation in its agreement with website publishers to ensure that the cookie consent requirements are effectively dealt with.
• For organisations operating outside the European Economic Area, the ICO confirms the law which establishes the cookie consent rules in the UK does not specifically apply.  However this does not mean that they are completely off the hook, as to the extent the use of cookies and similar technologies involves the processing of personal data, the GDPR will apply.  So, if a business is based in the USA and offers online services designed for or targeted to the European market, then that business will need to comply with the GDPR’s requirements in respect of the information provided to users.

The ICO’s guidance, along with its recent report into adtech and real time bidding are a clear signal that it expects anyone involved in internet tracking to evaluate their approach and change their practices.

 Authored by Katie McMullan