What is a cookie?
A cookie is a small text file that is downloaded onto a user device while accessing a website. It allows the website to recognise that user’s device and store certain information about the user’s preferences or past actions. Some cookies are of a transient nature (session cookie), i.e. are deleted at the end of a browsing session, while others are retained on a device for extended periods (usually expiring after one or two years) and are capable of providing websites with user preferences, authentication, settings, browsing behaviour and other user-specific information for future visits (persistent cookie). It goes without saying that this technology may have significant user privacy implications.
Current UK cookie law
|This Kat has unambiguously consented to cookies|
PECR has been in a delayed process of being updated and many online service providers either have been on standby or used divergent approaches in implementing cookie compliance measures. The updated guidance will presumably resolve the outstanding ambiguities, effectively leaving no scope for companies to defer compliance further.
As a general rule, consent is mandatory for these cookies that are not strictly necessary for the provision of a service. The ‘strictly necessary’ exemption is to be construed narrowly: storage of (or access to) information should be essential, rather than reasonably necessary or merely important. Essential necessity should also be limited to a specific service requested by the user and not to any other potential uses anticipated by the service provider.
As well, ‘strictly necessary’ should be interpreted from the user’s, and not provider’s perspective, subject to a provider’s obligations stemming from other applicable legislation, i.e. data security requirements.
ICO has provided specific examples of activities that would likely satisfy the ‘strictly necessary’ exemption, namely, a session cookie used to remember the shopping basket or to complete a form; first-party site access authentication session cookies, such as online banking services; first-party cookies used for security purposes, such as detecting repeated failed login attempts, - which may be persistent in nature; video/audio related cookies that are necessary for streaming media services; session cookies used to store a user's preference, provided they are not linked to a persistent identifier; and ‘load balancing’ cookies, which help ensure that site content loads quickly and effectively by distributing the workload across numerous computers.
However, cookies that are used for social media plugins or tracking, site personalisation, advertising, cross-device tracking, research, or product improvement purposes, will require user consent. Cookies that are used for more than one purpose will attract the consent requirement unless all those purposes fall within the ‘strictly necessary’ exemption.
Another exception is the communication exemption, which relates to cookies that enable (not merely facilitate) the transmission of a communication over a network.
New guidance also tightens the requirements for obtaining the consent by pointing to the valid consent standards under the GDPR-- freely given, specific, informed, unambiguous and expressly given. Consent requests must be ‘clearly distinguishable from other matters’, be presented in an intelligible and easily accessible form, and the consent mechanism must allow the data subjects to withdraw their consent at any time. Accordingly, the continued use of the website does not constitute a valid consent.
Before the consent is given, users must be clearly informed about what cookies are in use (including any third party cookies) and what function they perform. Further, before making a choice, users must also be prevented from accessing the website. For non-essential cookies, pre-ticked boxes or equivalent default fixtures are not allowed, and user access should not be denied if they do not consent to such cookies. ICO is very specific about placement, formatting and wording of cookie information and consent request.
Notably, the cookie rules do not apply in the same way to the intranet, which is unlikely to be a public electronic communications service.
Who is responsible for compliance? A default rule is that the person setting the cookie is primarily responsible for compliance with the requirements of PECR. For third party cookies, both online service provider and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. ICO acknowledges that this is one of the most challenging areas in which to achieve compliance with PECR.
Cookie audit. Guidance provides a detailed list of actions to be taken for new and existing cookies.
Analytics cookies. These are not exempt from the consent requirement by default, because they usually do not amount to being ‘strictly necessary’. However, “this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals”.
Compliance deadline. No fixed term is specified in the guidelines, but ICO’s Head of Technology Policy, Ali Shah, has published a post instructing the online service providers to “start taking steps to comply now”.
Other jurisdictions. French data protection authority CNIL has announced that this month it will repeal its 2013 cookie recommendation that has become outdated in some respects (in particular regarding what concerns the expression of consent), and publish guidelines outlining the applicable rules of law. Similar actions have been taken by the Dutch and German data protection authorities.
Image credits: Peter Hasselbom
ICO sheds light onto cookie requirements Reviewed by Ieva Giedrimaite on Wednesday, July 17, 2019 Rating: