WHICH LOCAL LAW IMPLEMENTS THE EPRIVACY DIRECTIVE?
The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR).
IS THERE ANY REGULATORY GUIDANCE ISSUED TO SPECIFICALLY ADDRESS COOKIES?
CAN A USER PROVIDE CONSENT TO COOKIES VIA WEB BROWSER SETTINGS?
PECR does contain two exemptions to the cookie consent rules. The requirement to obtain consent does not apply to the technical storage of, or access to, information (a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or (b) where such storage or access is strictly necessary to provide the service requested by the user. Activities likely to fall within the strictly necessary exemption include those that relate to the specific functionality of the service – i.e. without them, the user would be unable to undertake certain activities.
ARE COOKIE WALLS ALLOWED?
No – users must be provided with controls over any non-essential cookies, and be able to access the website if they don't consent to these cookies. ICO Guidance states that general access to a website should not be subject to conditions requiring users to accept non-essential cookies – certain content can only be limited if the user does not consent. Individuals must be provided with a genuine free choice; consent should not be bundled up as a condition of the service unless it is necessary for that service.
CAN CONSENT BE IMPLICIT, (I.E. THROUGH USE OF WEBSITE)?
No – the user must take a clear and positive action to give their consent to non-essential cookies – continuing to use a website does not constitute valid consent.
TRANSPARENCY AND RETENTION
ARE THERE SPECIFIC RULES OR GUIDANCE FOR COOKIE BANNERS?
In order for consent to be valid, individuals must take a clear and positive action to give their consent to non-essential cookies. The website cannot use any pre-ticked boxes (or equivalents such as 'on' sliders) for non-essential cookies and clear information must be provided to individuals about what cookies are used and the purpose of these cookies before they consent to them being set. This may be achieved by a cookie banner. However, the ICO Guidance notes a consent mechanism that emphasises agree or allow over reject or block represents a non-compliant approach, as the online service is influencing users towards the accept option.
ARE THERE ANY SPECIFIC RETENTION PERIODS FOR DATA HELD BY COOKIES?
No – however, the ICO Guidance confirms that use of a cookie must be:
- proportionate in relation to the intended outcome; and
- limited to what is necessary to achieve the purpose.
DO ANY COOKIE RULES OR GUIDANCE APPLY DIFFERENTLY FOR FIRST-PARTY AND THIRD-PARTY COOKIES?
Yes, companies setting third-party cookies must be specifically named. The ICO Guidance also confirms that if a website sets third-party cookies, both the website owner and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.
IS THERE ANY REGULATORY STRATEGY ON THE ENFORCEMENT OF COOKIE RULES?
HAVE THERE BEEN ANY FINES ISSUED FOR NON-COMPLIANCE OF COOKIE RULES?
HAVE THERE BEEN ANY COURT CASES ADDRESSING COOKIE COMPLIANCE?
The ICO Guidance also applies to the use of cookie-like technologies in Internet of Things devices. The ICO Guidance states that since these services can also store or access information on the user's device just like any website, the cookie rules apply to all such devices where cookies or similar technologies are in use.
Originally published 27 November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.