In July 2019 the Information Commissioner’s Office issued updated guidance on cookie consent clauses.  Under GDPR the standard for consent is that it is specific, informed, unambiguous agreement.  This means that you must explain at detailed level what is being consented to and that pre-filled boxes or phrases like “if you continue to use this website you have consented to the use of cookies” do not work.

In particular the ICO advised that cookies should be identified as either essential for the operation of the website such as managing the shopping basket for sales, and those that are non-essential.  Specifically Google Analytics is not essential.  Landing pages should not have any non-essential cookies and consent must be obtained before using non-essential cookies on any website pages.

The ICO website demonstrates the new style cookie consent notice.

Be aware that the law actually changed when GDPR was introduced as the standard for consent automatically applied to the Privacy and Electronic Communications Regulation when GDPR came into full force on 25 May 2018.  There has been an EUCJ ruling in October 2019 which held that cookie consent must be active and explicit (Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v. Planet49 GmbH).  Also the Spanish data protection authority has fined Vueling Airlines €18,000 in September 2019 for inadequate cookie consent.  The summary on the European Data Protection Board website reads:

“Users who access the Vueling company’s website do not have the ability to configure the cookies that are installed on their computers.

When accessing online the cookie policy of the URL page: https://www.vueling.com/es , users are informed about what cookies are and what cookies they use. It also communicates that Vueling can use the information by itself or through third parties such as, beacons, Pixel tags and Local storage, evaluations  and  statistical calculations on anonymous data, indicating  “such information will not be used for any other purpose”. They also report that they may use third-party analytics cookies.

However, on the management of cookies, the company merely indicates that: “you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive. You can also use “do not track” tracking cookie blocking tools. It is also noted that, “you can revoke at any time the consent given for the use of cookies by Vueling, configuring the browser for this purpose and that you can adjust the browser settings to prevent the installation of cookies websites or third parties in general.”

What the company does not provide is a management system or cookie configuration panel that allows the user to delete them in a granular way. To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular way in order to manage the preferences of each user.”

This is a useful summary of what is required in a 2019 cookie consent and notice.