The ICO recently updated its advice on cookie use, primarily moving from implied user acceptance basis to explicit opt-in for “non-essential” cookies, under which analytics and marketing cookies fall. This obviously has deep implications for the tracking efforts of online businesses. This post will look at what the updated advice says, and what steps businesses should take.
The new guidance is set by the Privacy and Electronic Communications Regulations (PECR) – a full guide is available at the ICO website and can be downloaded as a PDF for reference.
What are the key takeaways from the new advice?
- You must tell users about all cookies used and what they do
Whilst PECR doesn’t definitively outline the “clear and comprehensive” information you should give about the cookies you use, it should generally cover the cookies used, why they will be used, what is being placed on the user’s device, and ease of rejection.
- Consent must be explicitly given
In the recent past, it has been acceptable to have user consent of cookies implied by continued use of a website or app. Implied consent is no longer compliant – users must freely give explicit consent.
- Necessary cookies are exempt, but analytics cookies aren’t deemed necessary
“Strictly necessary” cookies are those which ensure a website or app can remain functional, such as cookies used to administer a shopping cart. The guidelines are quite clear that analytics and tracking cookies aren’t considered “strictly necessary”, and require explicit user consent.
- Revoking consent should be as simple as giving consent
Whatever mechanism is provided for the user to provide their consent should be easily accessible to revoke this consent at any time.
- “Cookie walls” are not considered freely given consent
A cookie wall refers to the act of blocking usage of a website or app if the user doesn’t consent to cookie policy. This is against the guidelines, as consent must be given “freely” – a cookie wall is considered enforced consent.
- New guidance sits alongside GDPR
PECR compliance needs to be considered before GDPR compliance – GDPR compliance is then applied to any cookies that deal with personally identifiable data.
Who’s doing well?
Predictably, the ICO are showcasing best practise with a large pop-up, clearly outlining the difference between necessary and analytics cookies, and providing an opt-in for analytics cookies. The “C” icon at the bottom left follows the user throughout the site and can be clicked to open the pop-up to change policy acceptance at any time.
The pop-out interface used by the ICO is a plugin provided by https://www.civicuk.com/cookie-control, which is customisable to cover marketing and social sharing cookies in addition to analytics, as shown on their own website.
Cookiebot is used by some of our clients thanks to its simple WordPress plugin. Their plugin can be seen in action at Cookiebot.com and shows the explanatory detail required alongside opt-in tick boxes. Clicking “Show details” gives the detail of exactly which cookies are used, and what for.
Are you at risk?
One of the debates now is whether these new guidelines will be enforced, or even if they are enforceable – the ICO advice for non-compliance is quite woolly in terms of who could be penalised and what the punishment could be. Whilst the above examples show us what good might look like, we are seeing relatively little uptake in the wider world – either because organisations are accepting the risk, or because the relatively low key announcement has been missed by many.
This article isn’t exhaustive and shouldn’t be used as the basis of a compliance policy. Our advice would be to absorb the full guidelines from the ICO and take legal advice on the next steps to take.
by Craig Broadbent
