A cookie is a small file that attaches to a browser when a visitor accesses a website. It is placed deliberately to capture data from the browser or the activity of the visitor.  Cookies are regulated under the Privacy and Electronic Communications Regulations 2003 (amended).

The Information Commissioner’s Office (“ICO”) website features a report into the level of cookie complaints. Over the 12 months from 1 April 1999 there were 2,544 complaints made to the Office about cookies. Interestingly 1,473, nearly 60%, were made in the last quarter January to March 2020. By comparison, the previous year’s figures were 1,276 complaints in total.

What has driven this increase in complaints and what will the impact be?

The Privacy and Electronic Communications 2003 (amended) introduced the requirement for cookies used on websites to be explained and their use was made subject to consent from the visitor. The GDPR is a general regulation around the use of personal data and PECR is a specific set of rules for electronic communications which means that the general provisions in GDPR apply in the context of PECR. In July 2019 the ICO pointed out that this meant that the definition of “consent“ in GDPR applies to cookie notices.

Before July 2019 cookie banners would typically read “This website uses cookies. By continuing to use this website you consent to the use of cookies. For more information click here” the link would take the user to the cookie notice.

Obviously this type of assumed consent would no longer be effective applying the GDPR standard of consent: a clear, positive, action indicating freely given, informed consent. Specifically consent cannot be inferred from silence, you cannot use pre-ticked boxes or rely on consent where a user has no real choice if he or she wants to access a service.

Another new aspect of consent consequent on the GDPR standard is the granularisation of consent. This is implicit on creating informed consent. The typical marketing consent clause:

“We would like to keep you informed of products and services that might be of interest to you”

does not meet the standard required. Instead product and service offerings must be broken down into their constituent parts and separate consent established for each provider (where there is more than one), each element offered and each communication channel available. So the new standard cookie consent clause was outlined by the ICO as distinguishing between cookies that are essential for the functioning of the website (“essential cookies”), those that facilitate the activity of the user on the website (“functional cookies”) and the rest including Google Analytics and other reporting cookies (“non-essential cookies”). Consent is required for the use of functional and non-essential cookies and the cookies used on a website must be detailed in the cookie notice.

Although the ICO guidance was effective immediately, and the application of GDPR to cookie consent clauses was effective from the date that GDPR was effective 25 May 2018, very few websites had compliant cookie notices in July 2019. Commentators picked up the new guidance from the ICO and relevant articles started to appear in professional magazines and articles.  Commentators assumed that there would be a period of grace before the ICO would start to enforce the new style cookie consent requirements but organisations were expected to start updating cookie notices and consent clauses immediately.

In fact take up of the new style cookie consent clause has been slow and possibly slower than the growth in awareness of website visitors.  This may have led to the increase in complaints.  The autumn 2019 quarter (October, November, December) recorded the second highest number of complaints about cookies in the two years’ covered on the ICO website, so maybe awareness was already starting to rise towards the end of 2019. The change in interpretation was being reported throughout the second half of 2019 and by early 2020 we were well equipped to start objecting to cookies we had not given consent to. It is possibly one of the few changes we cannot blame on lockdown, given the timing, although the first quarter of the next reporting period (April, May, June 2020 might make interesting reading).

What does this steep increase in complaints about cookies to the ICO mean?

It means the period of grace to get your cookie notice right is running out fast. The ICO regularly explains how it’s resources are allocated, that is on a risk basis and priority basis. Lots of complaints means that a growing number of the public want action and that is what they will get. This makes cookie compliance a top priority for the autumn of 2020!

For assistance with this topic or other aspects of data protection, contact us today.

Mandy Webster, Data Protection Consultant