Summary of key points
To recap, under current law, consent is almost always required unless cookies are “strictly necessary,” i.e., essential (as opposed to reasonably necessary) to provide the service requested by the user.
- “Strictly necessary” is considered from the user’s perspective. Mirroring prior guidance at EU level, the ICO repeats that cookies “that are simply helpful or convenient, but not essential ─ or that are only essential for your own purposes ─ will still require consent.” The guidance provides examples of activities that are likely to meet the “strictly necessary” exemption as well as examples that are not likely to meet it and thus trigger the need to obtain consent:
The guidance goes on to provide more detailed information on what types of cookies are likely to be exempt from the consent requirement, including first-party session cookies for authentication (but not persistent login cookies), session cookies for load balancing, and first-party cookies for some security purposes. This more detailed guidance will be of interest to clients in specific industries, including fraud prevention services that rely on device fingerprinting techniques.
- Cookies used for online ads or web analytics require consent. The ICO describes cookies used for the purposes of online advertising or web analytics as non-essential and thus require prior consent to the GDPR standard. Readers should note that this includes first-party cookies (the guidance clearly states, “Consent is necessary for first-party analytics cookies, even though they might not appear to be as intrusive as others that might track a user across multiple sites or devices.”). Mirroring prior ICO guidance, it goes on to suggest that enforcement in relation to first-party guidance is unlikely to be a priority.
Somewhat controversially in the context of the long-running debate over adtech and online business models, the ICO states the following as a “fact” in its myth-busting blog: “While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”
- Online advertising cookies require consent. To quote the guidance in full, this includes “all third-party cookies used in online advertising, including for purposes such as frequency capping, ad affiliation, click fraud detection, market research, product improvement, debugging and any other purpose.”
- Social media plugins sometimes require consent ─ it depends on the user and what the plugins are used for. This bit of the guidance is more nuanced. In summary, consent is required:
- to set cookies in connection with social media plugins for non-logged in users of that social media platform, i.e., users who have logged out or users that are not members of that network;
- for plugins or other technology that tracks users (members or non-members of the network) for other purposes such as advertising, behavioural monitoring, or analytics; and
Consent is not required, however, if a user of that network is logged into that network when using your service and the plugins are used to interact with the network.
- Implied consent is not valid. Unsurprisingly, the guidance and ICO blog make clear that, because the GDPR standard of consent is much higher than under previous legislation, implied consent is no longer acceptable in relation to non-essential cookies. This is consistent with the recent Advocate General opinion in the Planet49 case ─ see our blog here. Accordingly, for non-essential cookies, users must take a clear and positive action to consent; pre-ticked boxes or sliders defaulted to “on” cannot be used.
- Timing. The timing of obtaining consent and collecting cookies has been an issue (at least in practice) for many years. The ICO states that non-essential cookies must not be set on landing pages before a site obtains the user’s consent. This is consistent with EU guidance from 2013.
- Consent to cookie walls is unlikely to be valid ─ but let’s talk. Cookie walls require website users to consent to the placing of tracking cookies or similar technologies before allowing them access to the website. The ICO states that consent to cookie walls is unlikely to be valid. This is broadly consistent with guidance and decisions of the Dutch and Austrian Supervisory Authorities in recent months (see our posts here and here). The gist is that consent obtained in this way is not “freely given” (as required under GDPR) because withholding consent has negative consequences for the user (i.e., the user is barred from accessing the website). Instead, websites should offer users a real choice to accept or reject cookies and be provided with an alternative method to access, e.g., payment. Deploying perhaps characteristic British understatement, the ICO recognizes that there are “some differing opinions as well as practical considerations around the use of partial cookie walls” and intends to seek further submissions and opinions on this issue from interested parties.
- Consent for cookies under ePrivacy means consent for processing under GDPR. The overlap and relationship between the GDPR (that governs processing of personal data) and the ePrivacy rules (that set out requirements on cookies) has prompted several compliance challenges, not helped by the delay in updating the ePrivacy rules. A common issue has been whether an organization may rely on one of the legal bases for processing data under the GDPR other than consent (such as legitimate interests) when that data is acquired as a result of dropping a cookie (for which consent is required). The ICO guidance, consistent with recent statements and positions of other regulators (including the recent EDPB opinion on the interplay between the two sets of rules), suggests the answer is “no.” For example, the guidance states: “if you have obtained consent in compliance with PECR [the UK implementation of the current ePrivacy rules], then in practice consent is also the most appropriate lawful basis under the GDPR. Trying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users.”
- What about sites outside of the EU? One feature of the current ePrivacy rules that has caused some head-scratching over the years is that, unlike the former Data Protection Directive 95/46/EC or the GDPR, they don’t contain an express applicable law test. The guidance states (eventually ─ it’s on page 44) that the territorial rules under the GDPR apply when cookies involve processing personal data. The upshot is that just because a site is available to users in the EEA the rules do not automatically apply. Instead, a site would have to offer goods or services to EEA users (e.g., an ecommerce site that allows users to purchase products from anywhere in the world and offers prices in local currency) or monitor their behaviour. The guidance states that whether the rules would apply to an online news outlet based outside the EEA but accessible to individuals within the EEA “may not be in scope of the GDPR, depending on its circumstances” (e.g., is the content directed at individuals within the outlet’s own country rather than individuals in the EEA? has it taken measures to prevent EEA users from accessing the site? etc.)
In addition to the above points, the updated document provides guidance on how to comply with the rules, including recommendations on how to conduct a cookie audit and how to keep records of user preferences.