In July, the UK's Information Commissioner's Office released new guidance on its interpretation of the rules regarding the use of cookies and similar technologies (the Guidance). The Guidance provides an understanding of how the Privacy and Electronic Communications Regulations (PECR) apply to the use of cookies in light of the GDPR.

Here are the key points:

  • Effect of the GDPR on cookies: The PECR provides that a website operator must provide clear and comprehensive information about its use of cookies and obtain valid consent to such use. If an operator is setting cookies, the Guidance makes clear that it must first comply with the PECR before turning to the GDPR. However, the GDPR has indirectly imposed a higher standard for cookies as to what constitutes consent and transparency.
  • Consent: The GDPR's high standards apply to consent under PECR in relation to the use of cookies. This was clear when GDPR was implemented. But the ICO have confirmed this (and given guidance as to what this means for collecting consent for cookies – see below). Under PECR, consent is almost always required unless cookies are strictly necessary (defined narrowly to mean cookies which are essential to providing the service requested by the user).
  • Implied consent: Although previous ICO guidance has suggested that consent can still be implied under the GDPR, the Guidance states that under PECR, a user must "take a clear and positive action to give their consent to non-essential cookies". The accompanying blog post goes further and makes clear that "implied consent [under GDPR] is no longer acceptable – whether it's for cookies, or for processing personal data". This creates possible tension with the previous guidance (although that guidance did seem to suggest that implied consent was largely limited to "informal offline situations", e.g. exchange of business cards). It is clear, however, that relying on the continued use of a website as an implied indication of consent for cookies will no longer be valid. Some sort of preference centre mechanism is very likely to be required. Equally, no auto-loading of cookies can take place until the consent has been collected. This is probably the biggest change under the ICO's guidance.
  • Other grounds for processing: If cookies require consent under PECR, then an operator cannot use one of the GDPR's alternative lawful bases – such as legitimate interests – to set them. Again, this has always been clear – as PECR requires consent. But the ICO's view is that there has been a degree of confusion on this point. While other grounds are theoretically available for the subsequent processing of personal data obtained through cookies, the ICO has indicated that an operator is unlikely to be able to use any grounds (especially for profiling and targeted advertising) other than consent, given previous indications from European DPAs. This could be a challenge for many organisations.
  • How to achieve GDPR-mandated consent: The Guidance advises the following about different possible means of obtaining consent:
    • Browser settings: A website operator cannot assume that users can currently configure their browser setting to reflect their preferences in relation to cookies (especially when using non-traditional web browsers, e.g. on smartphones). Where it is possible for the user to set up their browser so that only certain cookies are allowed, the Guidance considers that this may be a means of obtaining consent but for now, relying solely on browser settings will not be sufficient. This will mean many organisations will need to look at how they currently go about collecting consent.
    • Message boxes: Banners or pop-ups can be used to obtain consent provided that they make the position absolutely clear to users. If using message boxes, operators must consider the implications for the user experience to ensure it is easy to interact with across devices and is not unnecessarily disruptive while still providing clear and comprehensive information that does not confuse users.
    • Settings-led or features-led consent: It is possible to integrate consent to cookies with a user's choice of a particular website setting/feature (e.g. choosing local language website version), provided that this is explained clearly. Organisations should review whether they can deploy this method for certain cookies to reduce the need to rely on an alternative consent mechanism.
    • Use of a cookie wall: Where the user has no genuine choice but to agree to cookies to access a website, any attempt to gain consent will not be "freely given". Think of the example of some US news websites that banned EU visitors unless cookies were accepted. However, the Guidance flags that specific website content – rather than general access – may be conditional on the consent to the use of non-essential cookies if it is necessary for the provision of a service the user requests. It doesn't provide any more detail on what such content might include, but it's possible that this exemption could extend to less intrusive uses of cookies, e.g. access to geographic content.
    • Accept/reject buttons: A consent mechanism cannot emphasise the 'accept' option over any 'reject' button' (e.g. by putting "accept" in larger or more prominent text). The options should have equal prominence. This would be a significant market movement if this is widely adopted.
    • Continued use: Wording such as 'By continuing to use our website, you consent to our use of cookies' is not compliant as the website has decided non-essential cookies will be set and has not provided the user a genuine free choice. In practice, this means that a website operator must ensure that any non-essential cookies are not placed on its landing page and still allow users access to its website if they do not consent to these cookies.
  • Third party cookies: If an online service incorporates third party cookies (e.g. advertising or analytics), it must clearly and specifically name who the third parties are and explain what they will do with the information (this is consistent with previous ICO guidance). The Guidance suggests that the third parties may cover off on their own compliance through contract (although the Guidance flags that this of itself may not be sufficient). In the short term, Google will likely tighten its contracts with web publishers on their use of Google cookies. In the long term, it's likely that third parties such as Google will need to work in conjunction with publishers to ensure compliance.
  • Consent bundled into terms and conditions: As for other matters, consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices. It will not be enough for a consent mechanism to locate controls in a "more information" section on the website.
  • Expiry date: The Guidance makes clear that cookies have a limited shelf-life and that consent will therefore need to be revisited after a "reasonable time" (not defined in the Guidance).
  • Transparency: PECR does not define "clear and comprehensive information" but the Guidance states that it relates to the GDPR's transparency requirements and right to be informed. When setting cookies an operator must provide the same information to users as it would when processing their personal data. Therefore an operator must clearly inform users about what its cookies are and what they do before they consent to them being set.

The ICO has not provided any "grace period" for the implementation of the new guidance. However, they have been clear that enforcement action will focus on organisations that refuses to take steps to comply or have been using privacy-intrusive cookies without notice. This indication gives organisations an appropriate period to review the use of cookies on their websites and make necessary adjustments to their consent mechanisms.

French guidance

The French Commission des Informations et Libertés (CNIL) recently issued updated guidance on the use of cookies. On review, it has become clear that European regulators are taking the same direction of travel in that the CNIL's approach to cookies is similarly stringent to that of the ICO. That said, the CNIL has taken a more relaxed view on certain points – for example, their guidance states that analytics and preference cookies (e.g. where a user expresses his/her preference for using a website in a certain language) are exempt from the consent requirement if certain conditions are met. Equally (and unlike the ICO), the CNIL has granted organisations a 12-month "grace period" to ensure compliance with its guidance. Notwithstanding these minor differences, both regulators' focus on cookies – and the similar approach taken in their respective guidance – strongly suggests that following the GDPR, European regulators will take a more consistent approach to privacy matters.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.