What does the ICO’s recent guidance mean for the future of cookies?
The Information Commissioner’s Office (“ICO”) has recently issued guidance on the use of cookies and similar technologies. That guidance seeks to clarify some of the issues now faced with cookies under the General Data Protection Regulation (“GDPR”) and, in particular, how it interacts with the Privacy and Electronic Communications Regulations (“PECR”). PECR governs the use of cookies for storing information and accessing information stored on a user’s equipment (e.g. a computer or mobile device).
Cookie Law
In short, and irrespective of whether or not the website is processing any personal data, a website is only allowed to set a cookie on a user’s device if it is:
- strictly necessary; or
- the user of the website has given its consent.
If personal data is being processed on the website then the normal rules of the GDPR will also apply.
Strictly necessary
A “strictly necessary cookie” has a high threshold and is where a cookie is either (i) necessary for technical purposes to allow a communication to take place; or (ii) to provide a service the user has requested. Common examples of “strictly necessary” cookies are session cookies used to create a shopping basket, or a security cookie for a requested service.
Consent
For all other types of cookies, consent from the user of the website will be required. Critically, the standard of consent must be GDPR consent. This means that the consent must be freely given, specific, unambiguous and given by a clear affirmative action. The consent must also be informed, i.e. the user must be given clear information about how each cookie is used and why (e.g. a cookie policy). The ICO guidance requires that websites obtain consent before placing any cookies on a user’s computer (unless it is “strictly necessary”).
What does this mean in practice?
- Cookie Walls – the lawful use of cookie walls by websites will be difficult and require careful thought. Blanket approaches, e.g. “by continuing to use this website you are agreeing to cookies” will not be valid as consent must be “freely given.”
- Analytics Cookies –the use of analytics cookies is not strictly necessary and requires users’ consent.
- Third Party Cookies – the use of third party cookies will invariably almost always require consent (especially adtech and social media cookies). This raises difficult questions over who is responsible for obtaining the consent (i.e. the website owner or the third party operator) and how it can lawfully be obtained. It also will require third parties to be explicitly named, and an explanation of how the third party uses those cookies will need to be provided to the user. This is a complex area, and further light may be shed on how websites should approach this issue of compliance at the conclusion of the ICO’s investigation into the adtech sector.
Future uncertainty?
Despite the ICO’s recent guidance, organisations should bear in mind that the EU is introducing a new EU Regulation on Privacy and Electronic Communications. This Regulation will almost certainly include new rules on the use of cookies that might well require further amendments to websites (to the extent that Regulation is applicable to the UK after Brexit). No fixed deadline has been provided for when the Regulation will be introduced, but the recent steps taken by the ICO with regards to cookies makes it clear that those organisations that seek to delay compliance will not receive much sympathy from the regulator.
Next steps:
All organisations that rely on cookies should conduct a cookie audit to identify those cookies it currently uses and why. Some cookies may be strictly necessary, whereas it may be possible to remove others altogether (thereby reducing the degree of legal risk). The use of cookies by organisations should be kept under constant review, and we would recommend that all organisations keep a keen eye on the progress of the EU Regulation and the ICO’s investigation into the adtech sector given the potentially far reaching impact they will have on the use of cookies.
For more information please contact Freddie Law on +44 (0)20 7427 6522 or at freddie.law@crsblaw.com, or Jonathan McDonald on +44 (0)20 7427 6725 or at jonathan.mcdonald@crsblaw.com.
Our thinking
Sarah Rowley
Charity Training series: Session 2
Join us for the second session in our Charity Training series where we will cover training for Charity Trustees and Senior Executives.
Sarah Rowley
Charity Training series: Session 1
Join us for the first session in our Charity Training series where we will discuss ESG for Charities.
Mark Howard
Charles Russell Speechlys advises Content+Cloud on the acquisition of award-winning service provider Azzure IT
Content+Cloud continues its growth journey, this is our 7th successful transaction for them.
Dominic Lawrance
Dominic Lawrance talks to Spear's Magazine about UK cryptocurrency tax
What HNWs should know about UK cryptocurrency tax
Sarah Keens
Being Green - The Struggle for Power
Everything you need to know about Green Leases
Rose Carey
Is the UK open for business? A discussion with the Home Office
We hosted an immigration webinar with the policymakers from the Home Office.
Louise Ward
Louise Ward writes for EG on what UK investors can gain from an overseas life sciences partner
What UK investors can gain from an overseas life sciences partner
Sonia Kenawy
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
David Haines
New Arbitration Scheme for Commercial Arrears goes live
Everything you need to know about the new Arbitration Scheme for Commercial Arrears
Charlotte Healy
Charlotte Healy and Katie Bewick write for Pharmacy Business on expert determination
Charlotte Healy and Katie Bewick write for Pharmacy Business on expert determination
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Charlotte Duly
Charlotte Duly writes for CITMA Review on the China Tang trade mark infringement case
Charlotte Duly writes for CITMA Review on the China Tang trade mark infringement case
Mark Howard
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Oliver Park
Building Safety Act 2022
Everything you need to know about the Building Safety Act 2022
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Claire Fallows
CoStar quotes Claire Fallows on the new infrastructure levy announced in the Queen's Speech
CoStar quotes Claire Fallows on the new infrastructure levy announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Mark Howard
Charles Russell Speechlys advises Europa Oil & Gas (Holdings) plc on its £7m equity fundraising
Europa Oil and Gas is a renewable energy, oil and gas development and production company.
Natalie Batra
Patents and Peppa Pig: What is happening to intellectual property rights in Russia?
Certain Russian individuals and businesses can now use patents, utility models and industrial designs without obtaining prior permission.