GENERAL
WHICH LOCAL LAW IMPLEMENTS THE EPRIVACY DIRECTIVE?
The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR).
IS THERE ANY REGULATORY GUIDANCE ISSUED TO SPECIFICALLY ADDRESS COOKIES?
Yes – the UK Information Commissioner has issued Guidance on the Use of Cookies and Similar Technologies' (ICO Guidance).
CONSENT
CAN A USER PROVIDE CONSENT TO COOKIES VIA WEB BROWSER SETTINGS?
No – the GDPR standard of consent applies. This means consent must be a freely given, specific, informed and unambiguous indication of the individual's wishes by a statement or by a clear affirmative action. If an individual's browser settings allow access to and storing of cookies generally, this will not be sufficient to meet the GDPR standard of consent for use of cookies on a specific website. The guidance notes that the individual must take a clear and positive action to give their consent to non-essential cookies – continuing to use a website does not constitute valid consent.
PECR does contain two exemptions to the cookie consent rules. The requirement to obtain consent does not apply to the technical storage of, or access to, information (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary to provide the service requested by the user. Activities likely to fall within the strictly necessary exemption include those that relate to the specific functionality of the service – i.e. without them, the user would be unable to undertake certain activities.
ARE COOKIE WALLS ALLOWED?
No – users must be provided with controls over any non-essential cookies, and be able to access the website if they don't consent to these cookies. ICO Guidance states that general access to a website should not be subject to conditions requiring users to accept non-essential cookies – certain content can only be limited if the user does not consent. Individuals must be provided with a genuine free choice; consent should not be bundled up as a condition of the service unless it is necessary for that service.
CAN CONSENT BE IMPLICIT, (I.E. THROUGH USE OF WEBSITE)?
No – the user must take a clear and positive action to give their consent to non-essential cookies – continuing to use a website does not constitute valid consent.
TRANSPARENCY AND RETENTION
ARE THERE SPECIFIC RULES OR GUIDANCE FOR COOKIE BANNERS?
In order for consent to be valid, individuals must take a clear and positive action to give their consent to non-essential cookies. The website cannot use any pre-ticked boxes (or equivalents such as 'on' sliders) for non-essential cookies and clear information must be provided to individuals about what cookies are used and the purpose of these cookies before they consent to them being set. This may be achieved by a cookie banner. However, the ICO Guidance notes a consent mechanism that emphasises agree or allow over reject or block represents a non-compliant approach, as the online service is influencing users towards the accept option.
IS A SEPARATE COOKIE POLICY REQUIRED IN ADDITION TO THE WEBSITE PRIVACY POLICY?
No – ICO Guidance states that detailed information about cookies can be provided in a privacy or cookie policy. However, the cookie information must be provided in such a way that the user will see it when they first visit the website and it must be clear and prominent. To meet this standard, best practice is to provide a separate cookies policy.
ARE THERE ANY SPECIFIC RETENTION PERIODS FOR DATA HELD BY COOKIES?
No – however, the ICO Guidance confirms that use of a cookie must be:
- proportionate in relation to the intended outcome; and
- limited to what is necessary to achieve the purpose.
The ICO Guidance does not provide a specific timeframe where fresh consent to the use of cookies must be obtained from users. However, it recognises that there are a range of reasons why visitors should reconsent to cookie settings, which will depend on a number of factors, such as frequency of visits or updates of content or functionality. The ICO Guidance also states that the consent mechanism for cookies has to have the technical capability to allow users to withdraw their consent with the same ease that they gave it, otherwise it will not be compliant with the GDPR's consent requirements.
DO ANY COOKIE RULES OR GUIDANCE APPLY DIFFERENTLY FOR FIRST-PARTY AND THIRD-PARTY COOKIES?
Yes, companies setting third-party cookies must be specifically named. The ICO Guidance also confirms that if a website sets third-party cookies, both the website owner and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.
ENFORCEMENT
IS THERE ANY REGULATORY STRATEGY ON THE ENFORCEMENT OF COOKIE RULES?
The ICO has confirmed that cookie compliance will be an increasing regulatory priority for the ICO in the future. In addition, the ICO has indicated that its approach to enforcement will prioritise the use of cookies which are perceived to cause a high level of intrusiveness.
HAVE THERE BEEN ANY FINES ISSUED FOR NON-COMPLIANCE OF COOKIE RULES?
No.
HAVE THERE BEEN ANY COURT CASES ADDRESSING COOKIE COMPLIANCE?
No.
ADDITIONAL INFORMATION
The ICO Guidance also applies to the use of cookie-like technologies in Internet of Things devices. The ICO Guidance states that since these services can also store or access information on the user's device just like any website, the cookie rules apply to all such devices where cookies or similar technologies are in use.
Originally published 27 November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
