It is now over a year since the implementation of EU GDPR, and the most recent area to come under the spotlight of the Information Commissioner’s Office (ICO) is that of internet cookies. On 3 rd July, after realising its own website did not subscribe to cookie legislation, the ICO published its updated expectations surrounding consent and information with regard to cookies.
What are cookies?
‘Cookies’ relates to a special technology which stores information between visits to the same website or, occasionally, visits across websites. These are used both to improve ease of experience for users, and to provide analytical information to website operators. For example, cookies can remember log-in details for ease of use, or search preferences across websites.
In any case, some cookies are ‘strictly necessary’ in order for the website to work in a functional and secure manner. Other cookies, for example those used to analyse website traffic for advertising, even though ‘necessary’ in the eyes of website operators, are not ‘strictly necessary’ by law.
What are the key points?
Consent
The main point to understand is that users must have control over their choices for consent. This is relevant for a number of points.
Firstly, organisations should no longer use statements such as “by continuing to use this website you are agreeing to the use of cookies”, because this represents ‘implied consent’ on behalf of the user. For example, if the user ignores the pop-up and clicks onto the website, this cannot translate into cookies being accepted by default. Likewise, pre-ticked boxes or sliders defaulted to ‘yes’ for cookies which are not ‘strictly necessary’ are also inappropriate: the user must actively select ‘yes’ to consent to non-essential cookies.
Secondly, exaggerating ‘yes’ or ‘accept’ over ‘no’ or ‘decline’ options has been deemed inappropriate, due to this ‘nudge behaviour’ being designed to influence users towards accepting non-essential cookies. Regardless of whether these cookies are helpful to website operators, or non-intrusive, consent should still be sought which has not been influenced in any way.
Thirdly, using ‘cookie walls’ to restrict access to the website until the user gives consent is generally unacceptable. When a user is forced to accept non-essential cookies (e.g. for third party analysis) in order to access the site, this does not represent genuine consent. Having said this, use of cookie walls depends on the specific case: these may be deemed appropriate for sites using only strictly necessary cookies. However, using pop-ups or banners could be considered the safest option here.
Information
The other key aspect of the updated ICO expectations is that consent must be informed.
Firstly, consent must be ‘granular’, whereby each individual type of non-essential cookie is distinctly agreed to. This avoids ‘bundled consent’ and provides the user with the knowledge of precisely what they are agreeing to.
Secondly, and related to this, information regarding the purpose and duration of each type of cookie should be accessible to the user when they first visit the site. This might be accessible through a link to the cookie policy in the initial pop-up or banner. This basic information allows the user to make a more informed choice on whether they accept particular cookies. As mentioned above, providing a link to a ‘more information’ page is perfectly acceptable, but organisations should try to ‘front load’ key information to ensure that nothing is assumed.
In summary, according to GDPR legislation, consent should be:
- freely given (i.e. no ‘nudge behaviour’ or cookie walls which force consent)
- unambiguous (i.e. no ‘implied consent’ if the user ignores the pop-up or banner)
- specific (i.e. a ‘granular’ approach detailing each individual type of non-essential cookie)
- informed (i.e. provided with the purpose and duration of each type of cookie)
What should organisations do about this?
We would recommend that organisations review their website cookie policy, and consider whether the manner in which consent is gained from users is appropriate to the data required.
As always, Navigator can provide support and assistance in this area, enabling organisations to progress towards further GDPR compliance.
If you have any queries on the above article, please contact Scott McCrory-Irving.
For those interested in how to make their organisation more GDPR compliant, check out Navigator’s
‘One Year On’ GDPR public workshop in August. This practical session provides a refresher of GDPR legislation, as well as discussing the updates to cookies and other topics in more detail. Attendees are encouraged to send in queries beforehand to allow us to tailor the session to their specific organisations.
Find the flyer for both dates below, or email enquiries@navigatorlaw.co.uk for further information.
Thursday 15 th August (Glasgow): ‘One Year On’ – GDPR Refresher and Update Workshop
This session focuses specifically on Independent Schools.
Wednesday 28 th August (Edinburgh): ‘One Year On’ – GDPR Refresher and Update Workshop
This session is appropriate for all organisations.