The guidance is based on two legislative requirements:
The UK Privacy and Electronic Communications Regulation 2003 (PECR) embeds the electronic communications privacy principles of the ‘ePrivacy Directive’ (Directive 2002/58/EC). Section 6 of the PECR requires organizations who place non-essential cookies on websites –
As of May 25, 2018, the GDPR defines the meaning of consent under EU data protection laws, as a “freely given, specific, informed and unambiguous” indication of a person’s agreement for the processing of data related to that person.
The updated ICO guidance clarifies how companies should apply the GDPR requirements for consent to the collection of cookies.
The ICO further clarifies that the market practices up until now do not comply in full with these standards.
For example, many cookie banners and notices –
- Do not offer separate options to consent to, or reject, each category of cookies placed on a website (‘unbundled consent’);
- Do not offer users a right to ‘reject all’ on the landing/home page. Instead, they only provided options to ‘accept all’ cookies or ‘learn more/go to settings’, thereby directing the users to additional webpages to reject the cookies.
The General Rule
The new ICO updated guidance makes it clear that consent to cookies should fulfil all the GDPR criteria. The guidance assesses whether a variety of mechanisms — such as cookie walls, browser settings, and message boxes — are sufficient for obtaining a valid consent.
As a general rule, the ICO concludes that companies must ensure that cookies are placed on a website’s landing page only with the user’s consent. The mechanism deployed for collecting consent must seek clear, unbundled acceptance for each category of cookies or similar technology.
The Exception – Essential Cookies
The rule excludes the placement of essential cookies. These are considered from the user’s perspective. According to the ICO, cookies that are simply helpful or convenient, but not strictly necessary ─ or that are only essential for the operator’s own purposes ─ will still require consent.
For example, Cookies used to remember the goods a user wishes to buy when they add goods to their online basket or proceed to the checkout on an internet shopping website, or cookies that are essential to comply with the GDPR security principles will not require consent. However, cookies used for analytics advertising purposes will require consent.
What will no Longer Qualify as Obtaining Consent?
- Website terms and conditions and privacy notices cannot be used for cookie consent, as users must be provided with transparent and concise information relating specifically to cookies which is not bundled with information relating to the wider service or processing of other personal data. This means that a separate Cookies Policy will now be required.
- Cookie walls that require a user to consent as a condition for accessing the website will be inappropriate, as such consent will not be freely given. Instead, websites should offer users a real choice to accept or reject cookies and be provided with an alternative method to access, e.g., payment.
- A consent mechanism that emphasizes “agree” or “allow” over “reject” or “block” represents a non-compliant approach as the site is influencing users towards the “accept” option.
- A consent mechanism that does not allow a user to make a choice would also be deemed to be non-compliant, even if the controls are located in a ‘more information’
- Consent will be invalid if (i) message boxes are hard to read or interact with when using a mobile device, or (ii) users do not click on any of the options available and go straight through to another part of the site without engaging with the consent box.
Geo-Fencing and Guidance by Other Regulators
All EU member states have their own implementing legislation for the ePrivacy Directive and the ICO guidance only relates to the UK. Therefore, businesses may want to consider IP-gating websites when applying the ICO recommendations if they do not agree with rolling them out Europe-wide.
The first step, which already took place on July 4, 2019, is to update its guidance issued back in 2013 on cookies as it is outdated because it refers to implied consent (i.e., consent through the continued use of the website) as an acceptable mode of obtaining consent to place cookies and align with the GDPR requirements for consent.
The new guidance will rule out the use of implied consent to place cookies on users’ devices. However, the CNIL will not enforce the new rules for a period of twelve months.
In the second phase, the guidelines will be followed by a new recommendation, which will specify the practical arrangements for obtaining consent. The draft recommendation will be drawn up after the consultation with professionals and civil society, which will take place in the coming months and will then be subject to public consultation.
The final recommendation will be published in the first quarter of 2020. Following the publication of the future recommendation, a six months period will be provided for the implementation of the new rules. However, this adaptation period will not prevent the CNIL from demanding full compliance with other obligations that have not been modified and, if necessary, adopting corrective measures to protect the privacy of Internet users.
In particular, operators of websites must condition the placement of trackers with users’ consent. They must leave the possibility to access the service even if the user does not provide consent. They must also provide an option for withdrawing consent that is easy to access and use.
What Should you do?
Companies must consider the applicability of the updated guidance on their online practices and accordingly consider making the necessary adaptations to their practices, including by creating an updated cookies message box/banner and creating a detailed cookies policy.
*This memo is not a leagal opinion