What does the ICO’s recent guidance mean for the future of cookies?
The Information Commissioner’s Office (“ICO”) has recently issued guidance on the use of cookies and similar technologies. That guidance seeks to clarify some of the issues now faced with cookies under the General Data Protection Regulation (“GDPR”) and, in particular, how it interacts with the Privacy and Electronic Communications Regulations (“PECR”). PECR governs the use of cookies for storing information and accessing information stored on a user’s equipment (e.g. a computer or mobile device).
Cookie Law
In short, and irrespective of whether or not the website is processing any personal data, a website is only allowed to set a cookie on a user’s device if it is:
- strictly necessary; or
- the user of the website has given its consent.
If personal data is being processed on the website then the normal rules of the GDPR will also apply.
Strictly necessary
A “strictly necessary cookie” has a high threshold and is where a cookie is either (i) necessary for technical purposes to allow a communication to take place; or (ii) to provide a service the user has requested. Common examples of “strictly necessary” cookies are session cookies used to create a shopping basket, or a security cookie for a requested service.
Consent
For all other types of cookies, consent from the user of the website will be required. Critically, the standard of consent must be GDPR consent. This means that the consent must be freely given, specific, unambiguous and given by a clear affirmative action. The consent must also be informed, i.e. the user must be given clear information about how each cookie is used and why (e.g. a cookie policy). The ICO guidance requires that websites obtain consent before placing any cookies on a user’s computer (unless it is “strictly necessary”).
What does this mean in practice?
- Cookie Walls – the lawful use of cookie walls by websites will be difficult and require careful thought. Blanket approaches, e.g. “by continuing to use this website you are agreeing to cookies” will not be valid as consent must be “freely given.”
- Analytics Cookies –the use of analytics cookies is not strictly necessary and requires users’ consent.
- Third Party Cookies – the use of third party cookies will invariably almost always require consent (especially adtech and social media cookies). This raises difficult questions over who is responsible for obtaining the consent (i.e. the website owner or the third party operator) and how it can lawfully be obtained. It also will require third parties to be explicitly named, and an explanation of how the third party uses those cookies will need to be provided to the user. This is a complex area, and further light may be shed on how websites should approach this issue of compliance at the conclusion of the ICO’s investigation into the adtech sector.
Future uncertainty?
Despite the ICO’s recent guidance, organisations should bear in mind that the EU is introducing a new EU Regulation on Privacy and Electronic Communications. This Regulation will almost certainly include new rules on the use of cookies that might well require further amendments to websites (to the extent that Regulation is applicable to the UK after Brexit). No fixed deadline has been provided for when the Regulation will be introduced, but the recent steps taken by the ICO with regards to cookies makes it clear that those organisations that seek to delay compliance will not receive much sympathy from the regulator.
Next steps:
All organisations that rely on cookies should conduct a cookie audit to identify those cookies it currently uses and why. Some cookies may be strictly necessary, whereas it may be possible to remove others altogether (thereby reducing the degree of legal risk). The use of cookies by organisations should be kept under constant review, and we would recommend that all organisations keep a keen eye on the progress of the EU Regulation and the ICO’s investigation into the adtech sector given the potentially far reaching impact they will have on the use of cookies.
For more information please contact Freddie Law on +44 (0)20 7427 6522 or at freddie.law@crsblaw.com, or Jonathan McDonald on +44 (0)20 7427 6725 or at jonathan.mcdonald@crsblaw.com.
Our thinking
Kelvin Tanner
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
Emma Humphreys
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
Helen Coward
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Mark Howard
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Georgina Muskett
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Rachel Warren
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
Nick Hurley
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Georgia Sutton
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Michael Powner
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
Paul Stone
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Ray Ng
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Andrew Clarke
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
Lauren Spark
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Simon Ridpath
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Emma Humphreys
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Robert Reymond
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
James Scott
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
Paul Stone
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.
Anna Rogers
Playing Copycat – Why have M&S begun legal action against Aldi over Colin the Caterpillar?
M&S’s chocolate caterpillar was the first of its kind to land on our supermarket shelves, over 30 years ago.