Back in 2013, we published a blog post entitled, “European Regulators and the Eternal Cookie Debate” about what constitutes “consent” for purposes of complying with the EU’s cookie rules.  The debate continues…  Yesterday, the ICO published new guidance on the use of cookies and a related “myth-busting” blog post.  Some of the “new” guidance really just repeats existing guidance, but other aspects may require organizations to review their current practices.  We summarize key points below, including in relation to when sites need to obtain consent, how to obtain consent, and when the rules apply to non-EU sites.

This all comes hot on the heels of the ICO updating its own mechanism for obtaining consent to cookies on its website last week (we set out the mechanism below).  The updated ICO guidance also follows the CNIL’s recent statement that it will issue new guidelines on cookies in two phases in the next 6 months: an update over the summer to amend its current guidance and rule out the use of implied consent to place cookies on users’ devices; and a consultation at the end of the year followed by new guidelines on how to obtain consent for the use of cookies (see our summary here).  It seems likely that some or all of this national guidance may have to be revised yet again when the proposed ePrivacy Regulation finally is agreed, although discussions on the proposal continue with no end currently in sight.

Summary of key points

To recap, under current law, consent is almost always required unless cookies are “strictly necessary,” i.e., essential (as opposed to reasonably necessary) to provide the service requested by the user.

  • “Strictly necessary” is considered from the user’s perspectiveMirroring prior guidance at EU level, the ICO repeats that cookies “that are simply helpful or convenient, but not essential ─ or that are only essential for your own purposes ─ will still require consent.”  The guidance provides examples of activities that are likely to meet the “strictly necessary” exemption as well as examples that are not likely to meet it and thus trigger the need to obtain consent:

The guidance goes on to provide more detailed information on what types of cookies are likely to be exempt from the consent requirement, including first-party session cookies for authentication (but not persistent login cookies), session cookies for load balancing, and first-party cookies for some security purposes.  This more detailed guidance will be of interest to clients in specific industries, including fraud prevention services that rely on device fingerprinting techniques.

  • Cookies used for online ads or web analytics require consent.  The ICO describes cookies used for the purposes of online advertising or web analytics as non-essential and thus require prior consent to the GDPR standard.  Readers should note that this includes first-party cookies (the guidance clearly states, “Consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices.”).  Mirroring prior ICO guidance, it goes on to suggest that enforcement in relation to first-party guidance is unlikely to be a priority.

Somewhat controversially in the context of the long-running debate over adtech and online business models, the ICO states the following as a “fact” in its myth-busting blog: “While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”

  • Online advertising cookies require consent.  To quote the guidance in full, this includes “all third-party cookies used in online advertising, including for purposes such as frequency capping, ad affiliation, click fraud detection, market research, product improvement, debugging and any other purpose.”
  •  Social media plugins sometimes require consent ─ it depends on the user and what the plugins are used for.  This bit of the guidance is more nuanced.  In summary, consent is required:
    • to set cookies in connection with social media plugins for non-logged in users of that social media platform, i.e., users who have logged out or users that are not members of that network;
    • for plugins or other technology that tracks users (members or non-members of the network) for other purposes such as advertising, behavioural monitoring, or analytics; and
    • for any use of web beacons, tracking pixels, JavaScript code or similar technologies from a social media platform or any other third party.

Consent is not required, however, if a user of that network is logged into that network when using your service and the plugins are used to interact with the network.

  • Implied consent is not valid.  Unsurprisingly, the guidance and ICO blog make clear that, because the GDPR standard of consent is much higher than under previous legislation, implied consent is no longer acceptable in relation to non-essential cookies.  This is consistent with the recent Advocate General opinion in the Planet49 case ─ see our blog here.  Accordingly, for non-essential cookies, users must take a clear and positive action to consent; pre-ticked boxes or sliders defaulted to “on” cannot be used.
  • So how to obtain consent?  The guidance explores different ways to obtain consent, including via message boxes such as banners and pop-ups.  It warns that consent would be invalid if (i) message boxes are hard to read or interact with when using a mobile device, or (ii) users do not click on any of the options available and go straight through to another part of your site without engaging with the consent box.  The guidance also states that wording such as “By continuing to use our website, you consent to our use of cookies” followed by an “OK” or “Accept” button does not result in a valid consent (because the website has decided non-essential cookies will be set and only seeks the user’s agreement afterwards with an option to continue rather than a genuine free choice).  Similarly, a consent mechanism that emphasizes “agree” or “allow” over “reject” or “block” represents a non-compliant approach as the site is influencing users towards the “accept” option.  A consent mechanism that doesn’t allow a user to make a choice would also be deemed to be non-compliant, even where the controls are located in a “more information” section.
  • Timing.  The timing of obtaining consent and collecting cookies has been an issue (at least in practice) for many years.  The ICO states that non-essential cookies must not be set on landing pages before a site obtains the user’s consent.  This is consistent with EU guidance from 2013.
  • Consent to cookie walls is unlikely to be valid ─ but let’s talk.  Cookie walls require website users to consent to the placing of tracking cookies or similar technologies before allowing them access to the website.  The ICO states that consent to cookie walls is unlikely to be valid.  This is broadly consistent with guidance and decisions of the Dutch and Austrian Supervisory Authorities in recent months (see our posts here and here).  The gist is that consent obtained in this way is not “freely given” (as required under GDPR) because withholding consent has negative consequences for the user (i.e., the user is barred from accessing the website).  Instead, websites should offer users a real choice to accept or reject cookies and be provided with an alternative method to access, e.g., payment.  Deploying perhaps characteristic British understatement, the ICO recognizes that there are “some differing opinions as well as practical considerations around the use of partial cookie walls” and intends to seek further submissions and opinions on this issue from interested parties.
  • Consent for cookies under ePrivacy means consent for processing under GDPR.  The overlap and relationship between the GDPR (that governs processing of personal data) and the ePrivacy rules (that set out requirements on cookies) has prompted several compliance challenges, not helped by the delay in updating the ePrivacy rules.  A common issue has been whether an organization may rely on one of the legal bases for processing data under the GDPR other than consent (such as legitimate interests) when that data is acquired as a result of dropping a cookie (for which consent is required).  The ICO guidance, consistent with recent statements and positions of other regulators (including the recent EDPB opinion on the interplay between the two sets of rules), suggests the answer is “no.”  For example, the guidance states: “if you have obtained consent in compliance with PECR [the UK implementation of the current ePrivacy rules], then in practice consent is also the most appropriate lawful basis under the GDPR. Trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.”
  • What about sites outside of the EU?  One feature of the current ePrivacy rules that has caused some head-scratching over the years is that, unlike the former Data Protection Directive 95/46/EC or the GDPR, they don’t contain an express applicable law test.  The guidance states (eventually  ─ it’s on page 44) that the territorial rules under the GDPR apply when cookies involve processing personal data.  The upshot is that just because a site is available to users in the EEA the rules do not automatically apply.  Instead, a site would have to offer goods or services to EEA users (e.g., an ecommerce site that allows users to purchase products from anywhere in the world and offers prices in local currency) or monitor their behaviour.  The guidance states that whether the rules would apply to an online news outlet based outside the EEA but accessible to individuals within the EEA “may not be in scope of the GDPR, depending on its circumstances” (e.g., is the content directed at individuals within the outlet’s own country rather than individuals in the EEA?  has it taken measures to prevent EEA users from accessing the site?  etc.)

In addition to the above points, the updated document provides guidance on how to comply with the rules, including recommendations on how to conduct a cookie audit and how to keep records of user preferences.

ICO mechanism

Finally, some readers may be interested to see the steps that the ICO took last week to update its own mechanism for providing information and collecting consent.  This now involves a cookie side-banner that includes “off” by default language for third party (Google) analytics cookies in conjunction with the ICO’s cookie policy and a permanent bottom corner “C” icon on the site that provides access to cookie controls.