In July 2019 the Information Commissioner’s Office (ICO) published updated guidance to provide greater clarity for businesses grappling with how the United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 apply to cookies. The focal point of cookies is consent, for which clear and stringent requirements are set out by the ICO.
We highlight the most crucial parts of the guidance to give you an overview on what to consider when implementing cookies on your website(s).
First and foremost, it is necessary to understand what cookies are. The ICO states:
“Cookies are small pieces of information, normally consisting of just letters and numbers, which online services provide when users visit them. Software on the user’s device (for example a web browser) can store cookies and send them back to the website next time they visit.”
So, cookies are little data sets which store and collect data for, and from, the user of the website. Cookies are a useful tool and some are necessary, e.g. for transferring information from one server to another to simply show the contents of a website. Others are merely optional and store information for businesses to get to know their clients better, e.g. statistic or analytic cookies which collect information on a user’s behaviour online.
As this can and generally will also contain personal information such as user’s activities, their preferred settings, their shopping basket contents, their interests and their IP addresses, data protection law steps into the picture and its requirements must be met.
In the UK, the so-called cookie law comprises the Privacy & Electronic Communications Regulation (PECR), which implements the EU e-Privacy Directive (2002), and the complementary data protection rules envisaged in the Data Protection Act 2018 (DPA) and the UK GDPR. A UK business that intends to set cookies has to consider the PECR first, but must not disregard the data protection regulations.
Regulation 6 PECR is the main statute to look at when considering cookies or similar technologies. It does not mention cookies per se, but does aim to put restrictions on their use, as well as for similar technologies like plugins or fingerprinting. Therefore, if you wish to set cookies, you must give clear and comprehensive information about the cookies, explain their purpose and, if necessary, obtain consent to store them on the user’s devices.
PECR does not define what is intended by clear and comprehensive information, however, you should read it with the UK GDPR’s understanding of transparency and the data subjects’ rights, especially the right to information. Accordingly, you need to inform the users about the specific cookies you wish to set, their purposes, their storage period, possibly involved third parties and the legal basis you rely upon. Clear information is given, when it is straight forward and understandable by the broad public. You therefore should use a language and format that your users can and will understand. To achieve this, it can be helpful to classify your cookies as statistical, analytical, or necessary.
Regulation 6 of the PECR also requires you to obtain consent, where necessary. Again, the PECR do not define consent, but relies on the definition and requirements for consent set out by the UK GDPR. Therefore, consent is an action by the user, which is freely given, specific, informed, and unambiguous. Also, the user may not suffer any negative impact in case no consent is given, i.e. in case of cookies the website must still operate in its general functions.
For obtaining consent, it is crucial that this is done by an action, i.e. actively checking a box, giving a statement or else. Inactiveness or silence is no sound consent under the UK GDPR or PECR. To demonstrate a user’s consent or denial of consent, make sure to set up systems to store such information and to allow your user to amend their settings any time.
However, consent is not the only legal basis for cookies under data protection laws. Another possible legal basis for setting cookies is a legitimate interest (Art. 6 (1) (f) UK GDPR). But legitimate interests can only be assumed as a legal basis in a few cases, first and foremost only if the cookies or similar technologies are necessary or essential. Then, website owners still must inform their users on such essential cookies and their legitimate interest in their use and implementation.
The ICO emphasises that cookies which are merely helpful or convenient, but not essential ─ or only essential for your own purposes ─ will still require consent. Therefore, businesses must be aware that they are required to obtain consent for almost all cookies, unless an exception to the consent requirement applies, as provided by Regulation 6 (4) PECR. The two exceptions to consent, in which a legitimate interest can provide a sufficient legal basis, are the following situations:
- Firstly, the consent requirement does not apply to the technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic network. This exception refers to the “communication exemption”, meaning that for a communication to take place over a network, the communication “endpoints” must be identified to enable information routing over a network. The communication must be impossible without the use of the cookie.
How to comply with cookie law?
You should structure the cookie banner in such a way that you do not lead the user to give a certain answer, i.e. the accept and deny button should look the same. Within this tool you can already provide the legal basis, the purpose and storage period of each individual cookie so that users have all information to be able to consider their action.
To classify your cookies, the ICO recommends conducting a cookie audit. This audit aims to enable you to classify your cookies as essential, statistical, analytical, or else.
You should note that valid consent means that it must be freely given, which requires giving people genuine choice and control over how businesses use their data. As affirmed by the ICO, companies must be aware that a full cookie wall, requiring users to “agree” or “accept” the setting of cookies before they can access the website’s content, is unlikely to represent freely given consent. The key is that users must be provided with a genuinely free choice. For that reason, consent should not be bundled up as a condition of the service unless it is considered necessary. This means that the cookie banner must not prevent the use of the website until consent has been given. Interaction should still be possible, as well as the choice of which cookies are accepted and which are not.
Recommendations for commercial websites
Businesses must take some conscious steps to ensure compliance with cookie regulations. Firstly, it must ensure that for all cookies placed on the website that do not fall within the scope of the “strictly necessary” or “communication” exemption, valid consent exists before personal data is processed. You can find out the classification by conducting a cookie audit.
Secondly, website owners must implement cookies in such a way that, where necessary, they are only set after consent has been given. Businesses are recommended to further follow the guidelines and developments on the ICO’s website.
Please also note Art. 5 (2) of the UK GDPR that refers to accountability and requires businesses to demonstrate compliance with data protection rules. Therefore, we advise companies to keep evidence of the measures taken to comply with the PECR and UK GDPR and put in place technical and organisational measures to guarantee compliance.
Developments in cookie law