Here are the key points:
- Implied consent: Although previous ICO guidance has suggested that consent can still be implied under the GDPR, the Guidance states that under PECR, a user must "take a clear and positive action to give their consent to non-essential cookies". The accompanying blog post goes further and makes clear that "implied consent [under GDPR] is no longer acceptable – whether it's for cookies, or for processing personal data". This creates possible tension with the previous guidance (although that guidance did seem to suggest that implied consent was largely limited to "informal offline situations", e.g. exchange of business cards). It is clear, however, that relying on the continued use of a website as an implied indication of consent for cookies will no longer be valid. Some sort of preference centre mechanism is very likely to be required. Equally, no auto-loading of cookies can take place until the consent has been collected. This is probably the biggest change under the ICO's guidance.
- Other grounds for processing: If cookies require consent under PECR, then an operator cannot use one of the GDPR's alternative lawful bases – such as legitimate interests – to set them. Again, this has always been clear – as PECR requires consent. But the ICO's view is that there has been a degree of confusion on this point. While other grounds are theoretically available for the subsequent processing of personal data obtained through cookies, the ICO has indicated that an operator is unlikely to be able to use any grounds (especially for profiling and targeted advertising) other than consent, given previous indications from European DPAs. This could be a challenge for many organisations.
- How to achieve GDPR-mandated
consent: The Guidance advises the following about
different possible means of obtaining consent:
- Browser settings: A website operator cannot assume that users can currently configure their browser setting to reflect their preferences in relation to cookies (especially when using non-traditional web browsers, e.g. on smartphones). Where it is possible for the user to set up their browser so that only certain cookies are allowed, the Guidance considers that this may be a means of obtaining consent but for now, relying solely on browser settings will not be sufficient. This will mean many organisations will need to look at how they currently go about collecting consent.
- Message boxes: Banners or pop-ups can be used to obtain consent provided that they make the position absolutely clear to users. If using message boxes, operators must consider the implications for the user experience to ensure it is easy to interact with across devices and is not unnecessarily disruptive while still providing clear and comprehensive information that does not confuse users.
- Settings-led or features-led consent: It is possible to integrate consent to cookies with a user's choice of a particular website setting/feature (e.g. choosing local language website version), provided that this is explained clearly. Organisations should review whether they can deploy this method for certain cookies to reduce the need to rely on an alternative consent mechanism.
- Use of a cookie wall: Where the user has no genuine choice but to agree to cookies to access a website, any attempt to gain consent will not be "freely given". Think of the example of some US news websites that banned EU visitors unless cookies were accepted. However, the Guidance flags that specific website content – rather than general access – may be conditional on the consent to the use of non-essential cookies if it is necessary for the provision of a service the user requests. It doesn't provide any more detail on what such content might include, but it's possible that this exemption could extend to less intrusive uses of cookies, e.g. access to geographic content.
- Accept/reject buttons: A consent mechanism cannot emphasise the 'accept' option over any 'reject' button' (e.g. by putting "accept" in larger or more prominent text). The options should have equal prominence. This would be a significant market movement if this is widely adopted.
- Third party cookies: If an online service incorporates third party cookies (e.g. advertising or analytics), it must clearly and specifically name who the third parties are and explain what they will do with the information (this is consistent with previous ICO guidance). The Guidance suggests that the third parties may cover off on their own compliance through contract (although the Guidance flags that this of itself may not be sufficient). In the short term, Google will likely tighten its contracts with web publishers on their use of Google cookies. In the long term, it's likely that third parties such as Google will need to work in conjunction with publishers to ensure compliance.
- Consent bundled into terms and conditions: As for other matters, consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices. It will not be enough for a consent mechanism to locate controls in a "more information" section on the website.
- Expiry date: The Guidance makes clear that cookies have a limited shelf-life and that consent will therefore need to be revisited after a "reasonable time" (not defined in the Guidance).
- Transparency: PECR does not define "clear and comprehensive information" but the Guidance states that it relates to the GDPR's transparency requirements and right to be informed. When setting cookies an operator must provide the same information to users as it would when processing their personal data. Therefore an operator must clearly inform users about what its cookies are and what they do before they consent to them being set.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.