The ICO has issued new guidance on the use of cookies.  The cookie consent banner on the ICO website has also been updated to reflect the new guidance and is granular and specific.  This means that compliance professionals need to work with colleagues to understand what different types of cookies are being used on websites, what they do in practice and which ones need to offer an opt-in.

The ICO distinguishes between essential and non-essential cookies.  An essential cookie is essential to providing the service requested by the user or which is necessary to allow communication.  GDPR compliant consent is required for any non-essential cookies.  GDPR compliant consent means:

  • Positive action
  • Based on clear and specific information about what cookies do
  • Including information about any third party cookies

Cookies which track to provide analytics are not essential in the ICOs view, however useful.  They do not contribute to the accessibility of the website or service to the user.  The ICO restates the point that use of cookies and data collection for marketing purposes might meet the condition of legitimate interests of the controller but the ecommerce rules requiring positive consent to marketing (PECR) apply equally to cookies as to other forms of data capture.  The need for consent to non-essential cookies is underlined by the fact that the ICO guidance specifically states:

“non-essential cookies must not be set on landing pages before you gain the user’s consent.”

This means that the Home page must not include any non-essential cookies.  However we know that users may “land” on any page of a website if drawn there by content.  This is going to be a tricky issue to resolve.  A strategy must be set and procedures introduced to ensure that any links to your business website take users to a page free of non-essential cookies.

The ICO blog accompanying the guidance concludes that:

“Cookie compliance will be an increasing regulatory priority for the ICO in the future.”  It also makes the recommendation that businesses start working towards compliance, undertake a cookie audit and document decisions.  This is the Accountability aspect of modern data protection, being able to demonstrate compliance is not sufficient, you must be able to demonstrate how it is managed behind the scenes.

The adtech industry is facing a two-pronged attack.  Not only does this new guidance give users an opportunity to opt-out of tracking but there is an ongoing investigation by the ICO into how the adtech market works with real-time bidding for personal data harvested from our browsing activity.  A recent speech by the ICO’s Executive Director for Technology Policy and Innovation recently covered the topic and suggested a six month period to allow the industry to come up with some solutions.  I think it would be wise to move towards cookie compliance within the same timescale.  You can read the speech referred to here

Mandy P Webster, Data Protection Consultant