The new guidance highlights the following:
- implied consent is no longer acceptable (eg consent implied from the continued use of the website);
- online advertising cookies require consent (a consent mechanism should allow a user to make a choice, this includes all third-party cookies used in online advertising);
- you should not emphasize the “agree” or “allow” cookie options over the “reject” or “block” cookie options;
- if an organisation uses any third party cookies, it must clearly and specifically name who the third parties are and explain what they will do with the information;
- do not use any pre-ticked boxes (or equivalents such as “on” sliders) for non-essential cookies;
- “cookie walls” which block general access to a website if consent is not provided do not constitute valid consent;
- the ICO’s position remains that cookie consent should be separate from other matters, and should not be bundled into terms and conditions or into privacy notices.
The guidance confirms that the rules on cookies will continue to be enforced by the ICO under the PECR regime (where the maximum fine is £500,000), except where personal data is processed - in which case it would also be open to the ICO to use its enhanced powers under the GDPR (where the maximum is €20m, or 4% of annual global turnover – whichever is greater).
The ICO has indicated that it intends to take a risk-based approach and states in the guidance that it is unlikely to prioritise enforcement action in relation to cookies where there is a low level of intrusiveness and a low risk of harm to individuals. It may consider taking action where an organisation refuses to take steps to comply, or uses privacy-intrusive cookies without taking adequate steps to provide the requisite information and secure valid consent.
Any practical tips?