ICO sheds light onto cookie requirements

At the beginning of this month, UK’s Information Commissioner’s Office (ICO) published  much awaited new guidance on the use of cookies and similar technologies  for storing information, and accessing information stored, on a user's equipment, such as a computer or mobile device. It is primarily addressed to the providers/operators of online services, such as a website or a mobile app, and provides more clarity and certainty about how cookies can be used as part of such services.

What is a cookie?

A cookie is a small text file that is downloaded onto a user device while accessing a website. It allows the website to recognise that user’s device and store certain information about the user’s preferences or past actions. Some cookies are of a transient nature (session cookie), i.e. are deleted at the end of a browsing session, while others are retained on a device for extended periods (usually expiring after one or two years) and are capable of providing websites with user preferences, authentication, settings, browsing behaviour and other user-specific information for future visits (persistent cookie). It goes without saying that this technology may have significant user privacy implications.

Current UK cookie law

The Privacy and Electronic Communications Regulations (PECR), which sit alongside the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR), impose specific rules on electronic communications, including marketing solicitation, traffic and location data, itemised billing, line identification, directory listings, and the use of cookies. Where PECR applies, it takes precedence over the DPA and the GDPR. However, nothing in PECR relieves a person of his obligations under the data protection legislation in relation to the processing of personal data.

This Kat has unambiguously consented to cookies

PECR has been in a delayed process of being updated and many online service providers either have been on standby or used divergent approaches in implementing cookie compliance measures. The updated guidance will presumably resolve the outstanding ambiguities, effectively leaving no scope for companies to defer compliance further.

Consent requirements

As a general rule, consent is mandatory for these cookies that are not strictly necessary for the provision of a service. The ‘strictly necessary’ exemption is to be construed narrowly: storage of (or access to) information should be essential, rather than reasonably necessary or merely important. Essential necessity should also be limited to a specific service requested by the user and not to any other potential uses anticipated by the service provider.

As well, ‘strictly necessary’ should be interpreted from the user’s, and not provider’s perspective, subject to   a provider’s obligations stemming from other applicable legislation, i.e. data security requirements.

ICO has provided specific examples of activities that would likely satisfy the ‘strictly necessary’ exemption, namely,  a session cookie used to remember the shopping basket or to complete a form; first-party site access authentication session cookies, such as  online banking services; first-party cookies used for security purposes,  such as  detecting repeated failed login attempts, - which  may be persistent in nature; video/audio related cookies that are necessary for streaming media services; session cookies used to store a user's preference, provided they are not linked to a persistent identifier; and ‘load balancing’ cookies, which   help ensure that site content loads quickly and effectively by distributing the workload across numerous computers.     

Source: ICO

However, cookies that are used for social media plugins or tracking, site personalisation, advertising, cross-device tracking, research, or product improvement purposes, will require user consent. Cookies that are used for more than one purpose will attract the consent requirement unless all those purposes fall within the ‘strictly necessary’ exemption.

Another exception is the communication exemption, which relates to cookies that enable (not merely facilitate) the transmission of a communication over a network.

ICO has developed an online tool that may prove useful when determining where consent applies for the use of cookies.

New guidance also tightens the requirements for obtaining the consent by pointing to the valid consent standards under the GDPR-- freely given, specific, informed, unambiguous and expressly given. Consent requests must be ‘clearly distinguishable from other matters’, be presented in an intelligible and easily accessible form, and the consent mechanism must allow the data subjects to withdraw their consent at any time. Accordingly, the continued use of the website does not constitute a valid consent.

Before the consent is given, users must be clearly informed about what cookies are in use (including any third party cookies) and what function they perform.  Further, before making a choice, users must also be prevented from accessing the website. For non-essential cookies, pre-ticked boxes or equivalent default fixtures are not allowed, and user access should not be denied if they do not consent to such cookies. ICO is very specific about placement, formatting and wording of cookie information and consent request.

Notably, the cookie rules do not apply in the same way to the intranet, which is unlikely to be a public electronic communications service.

Other considerations

Who is responsible for compliance? A default rule is that the person setting the cookie is primarily responsible for compliance with the requirements of PECR. For third party cookies, both online service provider and the third party have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent. ICO acknowledges that this is one of the most challenging areas in which to achieve compliance with PECR.

Cookie audit. Guidance provides a detailed list of actions to be taken for new and existing cookies.

Analytics cookies. These are not exempt from the consent requirement by default, because they usually do not amount to being ‘strictly necessary’. However, “this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals”.

Compliance deadline. No fixed term is specified in the guidelines, but ICO’s Head of Technology Policy, Ali Shah, has published a  post instructing the online service providers to “start taking steps to comply now”.

Other jurisdictions. French data protection authority CNIL has announced that this month it will repeal its 2013 cookie recommendation that has become outdated in some respects (in particular regarding  what concerns the expression of consent), and publish guidelines outlining the applicable rules of law. Similar actions have been taken by the Dutch and German data protection authorities.

Image credits: Peter Hasselbom