ICO guidance on the use of cookies and similar technologies

Published on 21 January 2020

Can implied consent be relied on for the use of cookies? Or, in the words of the ICO’s blog, “what does ‘good’ look like?”

The key takeaway 

If you use cookies you must (1) tell people if you set cookies, (2) explain what cookies do and (3) obtain the user’s consent (which must be actively and clearly given).

The background

The guidance addresses cookies and similar technologies in detail and is intended to provide an in-depth understanding of how the Privacy and Electronic Communications Regulations (PECR) applies to the use of cookies. The guidance also provides clarity and certainty around the interplay between the General Data Protection Regulation (GDPR) and the PECR cookie requirements.

The guidance

The new guidance highlights the following:
  • implied consent is no longer acceptable (eg consent implied from the continued use of the website);
  • online advertising cookies require consent (a consent mechanism should allow a user to make a choice, this includes all third-party cookies used in online advertising);
  • you should not emphasize the “agree” or “allow” cookie options over the “reject” or “block” cookie options;
  • if an organisation uses any third party cookies, it must clearly and specifically name who the third parties are and explain what they will do with the information;
  • do not use any pre-ticked boxes (or equivalents such as “on” sliders) for non-essential cookies;
  • “cookie walls” which block general access to a website if consent is not provided do not constitute valid consent;
  • the ICO’s position remains that cookie consent should be separate from other matters, and should not be bundled into terms and conditions or into privacy notices. 
Why is this important?

The guidance confirms that the rules on cookies will continue to be enforced by the ICO under the PECR regime (where the maximum fine is £500,000), except where personal data is processed - in which case it would also be open to the ICO to use its enhanced powers under the GDPR (where the maximum is €20m, or 4% of annual global turnover – whichever is greater).

The ICO has indicated that it intends to take a risk-based approach and states in the guidance that it is unlikely to prioritise enforcement action in relation to cookies where there is a low level of intrusiveness and a low risk of harm to individuals. It may consider taking action where an organisation refuses to take steps to comply, or uses privacy-intrusive cookies without taking adequate steps to provide the requisite information and secure valid consent.

Any practical tips?

Think about running a cookie audit! This includes looking at your cookie notices and cookie policy with fresh eyes (or rather through the eyes of the ICO’s new guidance).

Stay connected and subscribe to our latest insights and views 

Subscribe Here