The Information Commissioner’s Office has torn up its own advice on how firms can gather data through online cookies by issuing new guidelines which outlaw practices that even the regulator was following until just a week ago.
The publication of the new guidance on the use of cookies and similar technologies under GDPR comes nearly 14 months after the regulation was implemented.
It is not known how long the ICO has been working on the advice, although some commentators believe it only started the process after being forced to admit its own cookie policy was in breach of GDPR.
In a blogpost, ICO head of technology policy Ali Shah explained the main changes, which are:
Implied consent is out. With the GDPR standard of consent being much higher than under previous legislation, implied consent is no longer acceptable, whether it is for cookies or for processing personal data.
In practice this means website users must take a clear and positive action to consent to non-essential cookies, and pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used.
Websites and apps must also tell users clearly what cookies will be set and what they do, including any third party cookies. And any cookies used for online advertising or web analytics, also require prior consent.
Meanwhile users must have control over any non-essential cookies; these must not be set on landing pages before the user’s consent is gained.
Even analytics cookies need consent. As they are not part of the functionality that the user requests when they use an online service – for example, if analytics are not running, the user could still be able to access the service – analytics cookies are not strictly necessary and require consent.
Cookie walls are out (probably). The ICO claims that statements such as “by continuing to use this website you are agreeing to cookies” are not valid consent under the higher GDPR standard.
However, the regulator says it recognises there are some differing opinions as well as practical considerations around the use of partial cookie walls and said it will be seeking further submissions and opinions on this point “from interested parties”.
Legitimate interests are out. Reinforcing the ruling that PECR always requires consent for non-essential cookies, such as those used for marketing and advertising, the ICO said legitimate interests cannot be relied upon.
Shah went on to say that for many companies “very little may change” but admitted that “for others, more work will have to be done”. He warned: “You should start taking steps to comply now.”
As for enforcement, the regulator insists that “cookie compliance will be an increasing regulatory priority for the ICO in the future”. However, Shah added that “future action would be proportionate and risk-based”.
The regulator concluded: “Start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear.”
Related stories
Marketers braced for fresh crackdown on online data
ICO fingered for breaching GDPR over cookie cock-up
ICO ‘failings’ exposed as most probes come to nothing
ICO reveals it has 10,000 data breach cases to probe
‘GDPR experts’ in the dock over dubious legal advice
Have companies done enough to comply with GDPR?
ICO demands shake-up of unworkable EU cookie law
‘Simple’ cookies consent now rules
Top UK sites get cookie ultimatum