My colleague Janine Regan has put together a summary of the essential points from the new Cookie Guidance recently published. It is a shift from the usual way we have been addressing cookie compliance and adds in the GDPR consent conundrums.
It applies to EU entities with websites targeting the EU. It also will apply to non-EU websites if they are actively targeting the EU citizens, particularly where they are using ad-serving and profiling cookies.
The French Data Protection Regulator has also adjusted their stance on Cookies and the generic pop-ups and banners that we tend to use, and as a consequence we advise you to review your current statement on Cookies and banner or pop-up as the ICO is likely to carry out reviews of websites in the forthcoming months, in the same way that the ICO did when the Cookies Law first came in some years ago.
Janine’s summary is as follows:
- Re third-party cookies – the third parties must be specifically named and you must provide an explanation of what they do with the information. Referring to “partners” or “third parties” is not sufficient.
- Non-essential cookies cannot be placed on landing pages and must not run at all until the user has given their consent.
- ‘Strictly necessary’ cookies should be assessed from the point of view of the user, not the website operator So whilst the website operator may regard advertising cookies as ‘strictly necessary’ because they bring in revenue to fund the services, they are not ‘strictly necessary’ from the user’s perceptive. The guidance specifically says that first and third party advertising cookies, including those used for operational purposes related to third-party advertising, such as click fraud detection, research, and product improvement, are unlikely to meet the “strictly necessary” exemption.
- The rules are unlikely to apply to intranets.
- Cookie audits should be undertaken regularly as usage of cookies changes.
- Cookie consent mechanisms should allow users to control all cookies that the website collects, i.e. first and third party cookies.
- In the future, you may be able to rely on the user’s browser settings for all of part of the consent mechanism, but “for now” relying solely on browser settings will not be sufficient.
- A consent mechanism that emphasises “agree” or “allow” over “reject or “block” is a non-compliant approach as the online service is influencing users towards the “accept” option.
- The guidance seems to suggest that the ICO views first-party analytic cookies (i.e. those that count the number of visitors, etc) as low risk and therefore they will probably not focus enforcement action in relation to these types of cookies.
- The consent mechanism must have the technical capability to allow users to withdraw their consent.
- Consent will need to be refreshed, for example when new non-essential cookies are set by a new third party.
- Re retention periods, “off-the-shelf” consent mechanisms that default to a certain expiration period, such as 90 days, should not be accepted as ‘red’ – you still need to take the time to determine whether this time period is appropriate and document those conclusions.
- Where the website operator has a social media presence, they will be joint data controllers with the social media platform for determining the purposes and means of processing personal data of any user that visits the relevant social media page. This remains the case even if the social media network only provides anonymised/aggregated statistical information about what users do.