It is now over a year since the implementation of EU GDPR, and the most recent area to come under the spotlight of the Information Commissioner’s Office (ICO) is that of internet cookies. On 3 rd July, after realising its own website did not subscribe to cookie legislation, the ICO published its updated expectations surrounding consent and information with regard to cookies.
What are cookies?
‘Cookies’ relates to a special technology which stores information between visits to the same website or, occasionally, visits across websites. These are used both to improve ease of experience for users, and to provide analytical information to website operators. For example, cookies can remember log-in details for ease of use, or search preferences across websites.
In any case, some cookies are ‘strictly necessary’ in order for the website to work in a functional and secure manner. Other cookies, for example those used to analyse website traffic for advertising, even though ‘necessary’ in the eyes of website operators, are not ‘strictly necessary’ by law.
What are the key points?
The main point to understand is that users must have control over their choices for consent. This is relevant for a number of points.
Secondly, exaggerating ‘yes’ or ‘accept’ over ‘no’ or ‘decline’ options has been deemed inappropriate, due to this ‘nudge behaviour’ being designed to influence users towards accepting non-essential cookies. Regardless of whether these cookies are helpful to website operators, or non-intrusive, consent should still be sought which has not been influenced in any way.
Thirdly, using ‘cookie walls’ to restrict access to the website until the user gives consent is generally unacceptable. When a user is forced to accept non-essential cookies (e.g. for third party analysis) in order to access the site, this does not represent genuine consent. Having said this, use of cookie walls depends on the specific case: these may be deemed appropriate for sites using only strictly necessary cookies. However, using pop-ups or banners could be considered the safest option here.
The other key aspect of the updated ICO expectations is that consent must be informed.
Firstly, consent must be ‘granular’, whereby each individual type of non-essential cookie is distinctly agreed to. This avoids ‘bundled consent’ and provides the user with the knowledge of precisely what they are agreeing to.
In summary, according to GDPR legislation, consent should be:
- freely given (i.e. no ‘nudge behaviour’ or cookie walls which force consent)
- unambiguous (i.e. no ‘implied consent’ if the user ignores the pop-up or banner)
- specific (i.e. a ‘granular’ approach detailing each individual type of non-essential cookie)
- informed (i.e. provided with the purpose and duration of each type of cookie)
What should organisations do about this?
As always, Navigator can provide support and assistance in this area, enabling organisations to progress towards further GDPR compliance.
If you have any queries on the above article, please contact Scott McCrory-Irving.
For those interested in how to make their organisation more GDPR compliant, check out Navigator’s
‘One Year On’ GDPR public workshop in August. This practical session provides a refresher of GDPR legislation, as well as discussing the updates to cookies and other topics in more detail. Attendees are encouraged to send in queries beforehand to allow us to tailor the session to their specific organisations.
Find the flyer for both dates below, or email email@example.com for further information.
Thursday 15 th August (Glasgow): ‘One Year On’ – GDPR Refresher and Update Workshop
This session focuses specifically on Independent Schools.
Wednesday 28 th August (Edinburgh): ‘One Year On’ – GDPR Refresher and Update Workshop
This session is appropriate for all organisations.