Cookie consent: update one year post-GDPR
Published on 26th Jul 2019
The cookie compliance requirements in the UK have recently been overhauled to make it crystal clear that GDPR level consent is now needed to set most cookies. These stricter requirements will impact most organisations.
Background
Since the Privacy and Electronic Communications Regulations 2003 (PECR) came into force in the UK, you have needed an individual's consent to set non-essential cookies. Until recently it appeared that you could rely on "implied consent" under PECR (informing individuals about the use of cookies in a cookie banner and then their continued use of the site would constitute implied consent). However, the impact of GDPR and recent supervisory authority guidance means that there has been a steady move towards GDPR level consent for cookies throughout the EU.
What's changed?
In the UK, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 expressly state that, from 29 March 2019, consent to drop cookies in the UK must comply with the GDPR requirements for consent.
The UK supervisory authority (the ICO) went further and this month published updated guidance reinforcing the requirement for GDPR level consent and giving practical direction on how to achieve it. The ICO clarifies that, where you need consent under PECR to set non-essential cookies, then your legal basis under GDPR will also be consent. The move to GDPR level consent represents a huge change to the way in which many companies in the UK currently approach cookie compliance.
It is important to realise that this GDPR level consent is also needed for "similar technologies" to cookies, i.e. anything which stores or accesses information on a user's device, such as HTML5 local storage, Local Shared Objects, tracking pixels, plug-ins, and device fingerprinting techniques.
Some other EU regulators are taking a similar approach. For example, the CNIL (the French supervisory authority) has published broadly equivalent guidance on cookie consent – read more here.
Consent is not needed for 'essential' cookies. However, the ICO has clarified that the concept of "essential" is very narrow and will not include any analytics cookies, first or third party advertising cookies, social media plugins or tracking or cross-device tracking. It is interesting that the ICO has taken a stricter approach in this area to the CNIL in France which has suggested that audience measurement cookies can, in certain circumstances, be seen as necessary. Essential cookies might include cookies that track user input where this is essential for the operation of the service (for example which items had been put in a shopping basket over the course of a web session) or where required to comply with security obligations such as authentication, but this will need to be assessed on a case by case basis. Having said that, care should be taken with the classification of essential cookies as there are a number of exceptions. For example:
- authentication cookies are generally seen as essential but persistent authentication cookies such as login cookies are not, because the user may not remember that they are logged in during a subsequent visit.
- security cookies are exempt if they are first party cookies but if the information is used for another purpose (such as the security of third parties' online services) then consent is required.
- cookies that relate to video or audio may be seen as essential for streaming content but will not be exempt from the consent requirement if they relate to additional functionality, such as personalisation, or usage monitoring.
What does this mean for you?
Even if you made changes to the way in which you set cookies in the run up to GDPR, you should consider revisiting this to ensure that your methods do not fall foul of more recent guidance on cookie consent. In particular this means consent should be:
- Active. All permissions should be defaulted to settings which reject cookies. For example any tick box asking individuals to consent to cookies must be presented unticked, and you cannot rely on inaction (such as continuing to browse a website) as an indication of consent. ICO guidance goes as far as to state that the consent mechanism should not emphasise "agree" or "allow" buttons over those stating "reject" as this influences individuals towards accepting cookies.
- Informed. Individuals must be informed about what the cookies do before they can validly consent. The explanation must be comprehensive and clear (taking account of the type and age of individuals using the site). The French regulator in particular has criticised Google and others in the adtech industry for a lack of transparency. The ICO states that consent should include information about the controller’s name, the purposes of the processing and the types of processing activity.
- Identify of any third parties. If you use any third party cookies then your consent mechanism will need to cover third party cookies by identifying the relevant third party and explaining how these third parties will use the information collected from their cookie. You will need to ask for new consent each time you add a new third party which places cookies or when they change the purpose for which cookie information is collected and used.
- Granular. You need specific consent for each different processing activity so you should ask individuals to consent separately to each different type or group of cookies (such as advertising, analytics etc). As a result of regulator scrutiny, many cookie management platforms have revised their consent mechanisms to make them more specific and granular, although the ICO also criticises an over-granular and over-complicated approach in its guidance. The level of detail required will need to be assessed on a case by case basis and balanced against the need to be clear and transparent.
- Unbundled. Cookie consent must be separate from any other consents (for example, consent to cookies should not be included in the general terms and conditions).
- Freely given. You should not make cookie consent a condition for accessing your services or site where cookies are not necessary for the particular services (such as using a cookie wall).
- Capable of being withdrawn. Individuals must be informed that they can withdraw their consent at any time and you should offer them a simple mechanism for withdrawing consent (as it should be as easy to withdraw consent as it was to give it). They must also be provided with controls over any non-essential cookies and should be allowed to continue to use your site even if they withdraw their consent.
Importantly you should not set any non-essential cookies on your site or landing page before the relevant individual has given their consent.
How can we help?
The need for cookie consent and the mechanics for obtaining valid consent are clearly hot topics both for the regulators and companies. It is a complex area as you need to factor in whether cookies are first party or third party, session or persistent, and deal with the interaction of GDPR and PECR when formulating your consent mechanism.
European regulators are also adopting different approaches, with Italian and Spanish supervisory authorities taking limited steps to introduce new guidance and approaches compared to the UK and France. This makes it difficult for entities who operate across Europe to have one single approach to cookie compliance.
Please contact one of the experts listed below if you would like to discuss any of the issues raised.