The ICO distinguishes between essential and non-essential cookies. An essential cookie is essential to providing the service requested by the user or which is necessary to allow communication. GDPR compliant consent is required for any non-essential cookies. GDPR compliant consent means:
- Positive action
- Based on clear and specific information about what cookies do
- Including information about any third party cookies
“non-essential cookies must not be set on landing pages before you gain the user’s consent.”
This means that the Home page must not include any non-essential cookies. However we know that users may “land” on any page of a website if drawn there by content. This is going to be a tricky issue to resolve. A strategy must be set and procedures introduced to ensure that any links to your business website take users to a page free of non-essential cookies.
The ICO blog accompanying the guidance concludes that:
“Cookie compliance will be an increasing regulatory priority for the ICO in the future.” It also makes the recommendation that businesses start working towards compliance, undertake a cookie audit and document decisions. This is the Accountability aspect of modern data protection, being able to demonstrate compliance is not sufficient, you must be able to demonstrate how it is managed behind the scenes.
The adtech industry is facing a two-pronged attack. Not only does this new guidance give users an opportunity to opt-out of tracking but there is an ongoing investigation by the ICO into how the adtech market works with real-time bidding for personal data harvested from our browsing activity. A recent speech by the ICO’s Executive Director for Technology Policy and Innovation recently covered the topic and suggested a six month period to allow the industry to come up with some solutions. I think it would be wise to move towards cookie compliance within the same timescale. You can read the speech referred to here https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/speech-the-future-of-online-advertising-regulation/
Mandy P Webster, Data Protection Consultant