What does GDPR mean for cookies: Getting to grips with the cookie monster

By Alison Deighton / 8 Oct 2019

You will no doubt be familiar with cookie banners that pop up when you visit a website, inviting you to “Accept All” or click that you are “OK” with cookies being set on your device. In some cases, the mere fact that you are continuing to browse the site is deemed sufficient evidence of your willingness to accept cookies. 

We are bombarded with so many of these messages that many of us simply dismiss the banner in the easiest manner possible – which usually involves accepting the cookies. If you want to review the cookies that are being set and choose which to turn on or off, this usually involves a few clicks and, in some cases, resorting to changing your browser settings.

However, this approach is set to change. In July this year, the ICO issued new guidance on cookie consent requirements, emphasising the fact that for consent to be valid, it must meet the General Data Protection Regulation (GDPR) conditions for consent. In this blog, we consider the legal requirements that apply to the use of cookies, the regulatory approach and the practical steps you can take to ensure compliance.

What is a cookie anyway?

A cookie is simply a text file where information can be stored on your device. This could be something as straightforward as your username or your language preference or more intrusive information tracking your browsing habits. Cookies are hugely useful tools, allowing data to be stored locally on devices, to be called upon only when needed, meaning that large central datastores are not required.

Cookies and the GDPR

The GPDR applies when cookies store personal data. Given the wide definition of personal data in the GDPR, which includes online identifiers, cookies very often hold personal data. As such, all the usual requirements of the GDPR will apply.

There are no specific rules in the GDPR that relate solely to cookies. However, if cookies are collecting personal data you will need to consider how to meet GDPR transparency requirements and ensure you have a legal basis for collecting personal data and for further uses of the data. You will also need to comply with data minimisation, storage limitation and data security requirements.

Cookies, PECR and the GDPR standard of consent

The Privacy and Electronic Communications Regulations (PECR) require prior consent for use of cookies unless an exemption applies. PECR also requires “clear and comprehensive” information to be provided to the user about cookies that are downloaded to their devices.

With the introduction of GDPR, the standard for cookie consent has changed. Cookie consent must now meet the GDPR requirements, which means that it must be specific, informed, freely given and unambiguous. There must be a clear affirmative action from the user to signify consent. It will also be necessary to enable users to withdraw consent at any time, and the means of withdrawing consent should be as easy as the means of giving consent. This means that merely continuing to browse a website will not be enough to constitute consent. Similarly, cookies cannot be set before the user has signified their consent (for example by clicking an “Accept” button), so cookies should not be set on a landing page unless and until consent has been provided.

The ICO Cookie Guidance also indicates that the consent mechanism should not emphasise “Accept” over “Reject”. So, a large Accept button with a small link to a “manage my preferences” option will not be acceptable.

Strictly necessary cookies

There is an exemption from the requirement to obtain consent for cookies where the cookie is “strictly necessary” to enable an information society service requested by the user to be delivered. This exemption will cover cookies such as:

  • Cookies used to remember items that a user has placed in a shopping basket
  • Cookies necessary to ensure security of data in accordance with regulatory requirements
  • Load balancing cookies that are necessary to enable the operation of the website

The ICO’s Cookie Guidance provides useful insight into the types of cookies that are likely to be considered as strictly necessary and those which are not. The guidance is available here.

Analytics cookies

Cookies that are used to analyse numbers of website visitors and to track how visitors use a site are useful to enable website operators to improve their website and measure the effectiveness of their content. Such cookies are not, however, “strictly necessary” and do not, therefore, benefit from the exemption above. Analytics cookies, therefore, require positive consent from users.

Advertising cookies

Cookies that enable targeted advertising are considered more intrusive than analytics cookies and are likely to be at the forefront of complaints and regulatory investigations in the coming months. Advertising cookies often include a mixture of first-party and third-party cookies, and it can be difficult for website operators to have full visibility of exactly what third party advertising cookies do. The ICO Cookie Guidance highlights the importance of providing a clear explanation of the purpose for which all cookies are used and specifically naming third parties whose cookies are deployed. It is therefore vital for website operators to ask for clear information from third parties about the purposes for which cookies are used and ensure that their consent mechanisms extend to third party cookies, as well as their own cookies.

The ICO Cookie Guidance equally emphasises the obligations placed on third party cookie providers. It is not sufficient for third parties to rely on website operators to obtain valid consent. They should be conducting due diligence to ensure that appropriate consent is obtained and will need to provide information to website operators about the purpose for which cookies are used to enable consent to be informed (a key requirement for valid consent).

Cookie walls

Some sites use a “cookie wall”, which means that users have to give their consent to cookies before they are permitted to access a website. This is effectively a take it or leave it approach to consent. The ICO has indicated that cookie walls are unlikely to work as a valid consent mechanism as there is no real choice for the user, therefore the consent is not “freely given”.

Practical steps to consider

To ensure that your cookie consent mechanism and Cookie Policy is compliant with legal requirements and the latest regulatory guidance we recommend taking the following steps:

  1. Undertake a cookie audit to identify all cookies deployed, their purpose and length for which they are set.
  2. Where third party cookies are used, contact third parties to request specific information about the purpose to ensure you can provide a clear explanation to users.
  3. Consider whether all cookies are necessary or whether the period for which they are set can be reduced.
  4. Identify “strictly necessary” cookies, for which consent will not be required.
  5. Categorise all other cookies by purpose so that users can be provided with easy to use information about the types of cookies used and can easily choose which cookies they are happy to enable.
  6. Put in place a compliant cookie mechanism which requires a positive indication of consent by users and enable an easy to access cookie preference centre so that consent can be withdrawn at a future point. Remember you need to keep an audit trail of consent.
  7. Update your Cookie Policy to provide an easy to understand explanation of all cookies, including naming third parties where relevant.
  8. Put in place a procedure to manage cookies going forward. You will need to consider for how long your cookie consent will be valid and how you will assess whether new cookies fall under existing consent mechanisms.

Conclusions

The ICO has provided comprehensive guidance on the steps that it expects organisations to take to ensure cookie compliance. This is also likely to be an area of regulatory enforcement action in the near future, with the ICO making its position clear:

“The ICO support innovation but that can’t always be at the expense of people’s rights”.

So, the message is to act now to get to grips with cookies to avoid regulatory scrutiny and user complaints.

How we can help

If you need support with your cookie compliance project, whether that be a specific piece of advice or support through the whole process we are here to help. Email us at hello@hellodpo.com

Meet HelloDPO’s new team members: Lisa Thorp & Claire Saunders

My law is stronger than your law!

Data protection risk management; it’s a piece of cake, isn’t it?