In July 2019, after admitting non-compliance with the previous guide, the UK Information Commissioner Officer (ICO) published updated guidance to provide greater clarity to businesses grappling with how the EU General Data Protection Regulation (GDPR) applies to cookies. The focal point of cookies is consent, for which not only the ICO but also the European Union Court of Justice (CJEU) put more stringent requirements in place. This article attempts to provide a clear summary for UK businesses of what must be respected when setting cookies on websites.
What is cookie law?
As prescribed by UK cookie law, businesses must have a sound legal basis to process data concerning cookies online. Accordingly, a possible legal basis for setting cookies is either obtaining the user’s valid consent or a legitimate interest (Art. 6 (1) GDPR). However, the ICO emphasises that in most circumstances, a legitimate interest is not the appropriate lawful basis. It repeats that cookies that are merely helpful or convenient, but not essential ─ or only essential for your own purposes ─ will still require consent. Therefore, businesses must be aware that they are required to obtain consent for almost all cookies, unless an exception to the consent requirement applies, as provided by Regulation 6 (4) PECR. The two exceptions to consent, in which a legitimate interest can provide a sufficient legal basis, are the following situations.
- Firstly, the consent requirement does not apply to the technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic network. This exception refers to the “communication exemption”, meaning that for a communication to take place over a network, the communication “endpoints” must be identified to enable information routing over a network. The communication must be impossible without the use of the cookie.
How to comply with cookie law?
UK cookie law does not provide for a definition of consent on its own and hence adopts what is provided in the GDPR. Accordingly, consent means any freely given, specific, informed and unambiguous indication of a data subject, by way of statement or clear and affirmative action, that he or she agrees to the processing of personal data related to him or her.
Explicitly, valid consent means that it must be freely given, which implies giving people genuine choice and control over how businesses use their data. As affirmed by the ICO, companies must be aware that a full cookie wall, requiring users to “agree” or “accept” the setting of cookies before they can access the website’s content, is unlikely to represent freely given consent. The key is that users must be provided with a genuinely free choice. For that reason, consent should not be bundled up as a condition of the service unless it is considered necessary.
Furthermore, consent should be distinct and requires a positive action to opt-in, for instance, ticking a box or clicking a link. So-called “implied consent”, namely to interpret the continued use of a website as consent, cannot be considered valid as it does not amount to a clear and affirmative action. For the same reason, “pre-checked boxes” are invalid, as confirmed by the CJEU and the ICO.
Individuals must be informed comprehensively and clearly about the cookies in advance. Specifically, the information must cover the controller’s name, the purposes of the processing and the types of the processing activity. Most importantly, users should be able to understand the potential consequences of consenting to cookies. Among other things, businesses must explain the storage duration and who has access to which information. The language and level of details must be appropriate to be fully comprehensible. If third party cookies are used, they must be named and the processing purposes elaborated.
Recommendations for UK businesses
Businesses must take some conscious steps to ensure compliance with cookie regulations. Firstly, it must ensure that for all cookies placed on the website that do not fall within the scope of the “strictly necessary” or “communication” exemption, valid consent exists before personal data is processed. Businesses are recommended to further follow the guidelines and developments on the ICO’s website. Please also note Art. 5 (2) in the GDPR that refers to accountability and requires businesses to demonstrate compliance with data protection rules. Therefore, we advise companies to keep evidence of the measures taken to comply with the GDPR and put in place technical and organisational measures to guarantee compliance.