Almost every website uses cookies. At present, it is impossible to imagine the internet without this technology. Because cookies are also used to process personal data, the supervisory authorities are paying close attention to this subject.
In July 2019 the Information Commissioner’s Office (ICO) published updated guidance to provide greater clarity for businesses grappling with how the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 apply to cookies. The focal point of cookies is consent, for which clear and stringent requirements are set out by the ICO.
We highlight the most crucial parts of the guidance to give you an overview on what to consider when implementing cookies on your website(s).
Cookies
First and foremost, it is necessary to understand what cookies are. The ICO states:
“Cookies are small pieces of information, normally consisting of just letters and numbers, which online services provide when users visit them. Software on the user’s device (for example a web browser) can store cookies and send them back to the website next time they visit.”
So, cookies are little data sets which store and collect data for, and from, the user of the website. Cookies are a useful tool and some are necessary, e.g. for transferring information from one server to another to simply show the contents of a website. Others are merely optional and store information for businesses to get to know their clients better, e.g. statistic or analytic cookies which collect information on a user’s behaviour online.
As this can and generally will also contain personal information such as user’s activities, their preferred settings, their shopping basket contents, their interests and their IP addresses, data protection law steps into the picture and its requirements must be met.
Cookie law
In the UK, the so-called cookie law comprises the Privacy & Electronic Communications Regulation (PECR), which implements the EU e-Privacy Directive (2002), and the complementary data protection rules envisaged in the Data Protection Act 2018 (DPA) and the UK GDPR. A UK business that intends to set cookies has to consider the PECR first, but must not disregard the data protection regulations.
Regulation 6 PECR is the main statute to look at when considering cookies or similar technologies. It does not mention cookies per se, but does aim to put restrictions on their use, as well as for similar technologies like plugins or fingerprinting. Therefore, if you wish to set cookies, you must give clear and comprehensive information about the cookies, explain their purpose and, if necessary, obtain consent to store them on the user’s devices.
PECR does not define what is intended by clear and comprehensive information, however, you should read it with the UK GDPR’s understanding of transparency and the data subjects’ rights, especially the right to information. Accordingly, you need to inform the users about the specific cookies you wish to set, their purposes, their storage period, possibly involved third parties and the legal basis you rely upon. Clear information is given, when it is straight forward and understandable by the broad public. You therefore should use a language and format that your users can and will understand. To achieve this, it can be helpful to classify your cookies as statistical, analytical, or necessary.
Legal basis
Regulation 6 of the PECR also requires you to obtain consent, where necessary. Again, the PECR do not define consent, but relies on the definition and requirements for consent set out by the UK GDPR. Therefore, consent is an action by the user, which is freely given, specific, informed, and unambiguous. Also, the user may not suffer any negative impact in case no consent is given, i.e. in case of cookies the website must still operate in its general functions.
For obtaining consent, it is crucial that this is done by an action, i.e. actively checking a box, giving a statement or else. Inactiveness or silence is no sound consent under the UK GDPR or PECR. To demonstrate a user’s consent or denial of consent, make sure to set up systems to store such information and to allow your user to amend their settings any time.
However, consent is not the only legal basis for cookies under data protection laws. Another possible legal basis for setting cookies is a legitimate interest (Art. 6 (1) (f) UK GDPR). But legitimate interests can only be assumed as a legal basis in a few cases, first and foremost only if the cookies or similar technologies are necessary or essential. Then, website owners still must inform their users on such essential cookies and their legitimate interest in their use and implementation.
The ICO emphasises that cookies which are merely helpful or convenient, but not essential ─ or only essential for your own purposes ─ will still require consent. Therefore, businesses must be aware that they are required to obtain consent for almost all cookies, unless an exception to the consent requirement applies, as provided by Regulation 6 (4) PECR. The two exceptions to consent, in which a legitimate interest can provide a sufficient legal basis, are the following situations:
- Firstly, the consent requirement does not apply to the technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic network. This exception refers to the “communication exemption”, meaning that for a communication to take place over a network, the communication “endpoints” must be identified to enable information routing over a network. The communication must be impossible without the use of the cookie.
- Secondly, no consent is required where storage or access is strictly necessary for the provision of a service specifically requested by the user, i.e., “strictly necessary” cookies that are essential for the technical functioning of a website. For instance, a cookie is used to remember the goods a user wishes to buy when they go to the checkout, or add goods to the shopping basket. In this case, the use of cookies is considered strictly necessary from the user’s perspective.
How to comply with cookie law?
Generally speaking, when a business wants to use cookies, it must explain the type of cookie, provide information about the purpose and obtain the data subject’s consent to use them. The simplest way to obtain consent and provide information directly is to implement a cookie consent tool, a so-called cookie banner. Such a tool pops up when first visiting a website, and will ask any user to accept or deny all non-essential cookies or consider to accept individual cookies or groups of cookies.
You should structure the cookie banner in such a way that you do not lead the user to give a certain answer, i.e. the accept and deny button should look the same. Within this tool you can already provide the legal basis, the purpose and storage period of each individual cookie so that users have all information to be able to consider their action.
To classify your cookies, the ICO recommends conducting a cookie audit. This audit aims to enable you to classify your cookies as essential, statistical, analytical, or else.
Also, you should draw up a cookie policy or name all relevant information in your privacy policy, so users are able to obtain the necessary information at any time.
You should note that valid consent means that it must be freely given, which requires giving people genuine choice and control over how businesses use their data. As affirmed by the ICO, companies must be aware that a full cookie wall, requiring users to “agree” or “accept” the setting of cookies before they can access the website’s content, is unlikely to represent freely given consent. The key is that users must be provided with a genuinely free choice. For that reason, consent should not be bundled up as a condition of the service unless it is considered necessary. This means that the cookie banner must not prevent the use of the website until consent has been given. Interaction should still be possible, as well as the choice of which cookies are accepted and which are not.
Recommendations for commercial websites
Businesses must take some conscious steps to ensure compliance with cookie regulations. Firstly, it must ensure that for all cookies placed on the website that do not fall within the scope of the “strictly necessary” or “communication” exemption, valid consent exists before personal data is processed. You can find out the classification by conducting a cookie audit.
Secondly, website owners must implement cookies in such a way that, where necessary, they are only set after consent has been given. Businesses are recommended to further follow the guidelines and developments on the ICO’s website.
Please also note Art. 5 (2) of the UK GDPR that refers to accountability and requires businesses to demonstrate compliance with data protection rules. Therefore, we advise companies to keep evidence of the measures taken to comply with the PECR and UK GDPR and put in place technical and organisational measures to guarantee compliance.
Developments in cookie law
The Data Protection and Digital Information (No. 2) Bill is currently being considered by the House of Commons. It aims to replace both the PECR, the UK GDPR and Data Protection Act 2018. It contains a proposal for less stringent standards for the consent requirement for certain types of cookies. However, in its current form the Bill does not provide for a removal of cookie banners entirely. It will still be necessary to provide notice of cookies and users must be provided the ability to refuse cookies.
