Some of the key points to note from the guidance are as follows:
- The use of cookie walls as a blanket approach to restrict access to a service until users consent will not comply with the cookie consent requirements. The ICO views this approach as inappropriate if the use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by a business or any third parties as a condition of accessing its service, as a user has no genuine choice but to accept cookies.
- Implied consent is also no-go. Statements such as ‘by continuing to use this website you are agreeing to cookies’ should not be used as they do not meet the requirements for valid consent required by the GDPR. Pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies. Users must have control over any non-essential cookies and they must not be set on landing pages before consent is obtained.
- Website operators should not pre-enable any non-essential cookies. The ICO’s view is that just because users may be unlikely to select a particular non-essential cookie when given the choice, or because the cookie is not privacy intrusive, this is not a valid reason to pre-enable it. Enabling a non-essential cookie without the user taking a positive action before it is set on their device does not represent valid consent. By doing this, the website operator is taking the choice away from the user.
- The ICO also views consent mechanisms that emphasise that users should ‘agree’ or ‘allow’ cookies over ‘reject’ or ‘block’ as non-compliant. It calls this ‘nudge behaviour’ which influences users towards the ‘accept’ option.
- Consent mechanisms which incorporate consent controls in a ‘more information’ section rather than as part of the initial banner / pop out or other solution are also deemed non-compliant on the basis that they do not allow users to make a choice before non-essential cookies are set.
- Advertising and analytics cookies are not ‘strictly necessary’ and so do not fall outside the cookie consent rules. While advertising cookies may be crucial in the eyes of a website or mobile app operator as they bring in revenue to fund the service, they are not ‘strictly necessary’ from the point of view of the website user and hence, the law.
- If a website uses third party cookies, then the parties must work together to ensure notice is provided and valid consent is obtained. The ICO recommends that third parties that want to set cookies or that provide a product that requires the setting of cookies should include a contractual obligation in its agreement with website publishers to ensure that the cookie consent requirements are effectively dealt with.
The ICO’s guidance, along with its recent report into adtech and real time bidding are a clear signal that it expects anyone involved in internet tracking to evaluate their approach and change their practices.
Authored by Katie McMullan