• uncategorised
  • December 05, 2019

How does the Cookie crumble? ICO Guidance on Cookies

By Lawbite Team

Book a call
article
The Information Commissioner’s Office (ICO) has published guidance on Cookies and similar technologies, in particular, the use of “non-essential” Cookies”. This is relevant to organisations who operate an online service, such as a website or a mobile app, so if you have one we recommend you to keep reading. This blog post looks at the scope of an organisation’s use of Cookies in light of privacy regulations, in particular, the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR).    

Let’s begin...

GDPR protects personal information about individuals and gives the individual rights to control how their data is used. Among other things, PECR relates to how organisations can make electronic communications, including sending marketing emails or text messages or tailored online advertising.  Both pieces of legislation are regulated by the Information Commissioner’s Office, and requires organisations to inform individuals how their data is used.    

What is a cookie?

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that the user’s device and store some information about the user’s preferences or past actions. The rules apply to “non-essential” Cookies, which include advertising cookies or those set by third parties.  There are exceptions to the legislative requirements, for example for cookies that are essential to provide an online service at someone’s request.  These types of Cookies are called session cookies and must be “strictly necessary” where a cookie is either necessary for technical purposes to allow communication to take place, or to provide a service the user has requested. Usual examples of “essential” cookies are those used to help users remember what’s in their online basket, or to ensure security in online banking, or a security cookie for a requested service.

What are organisations required to do? 

If an organisation is using Cookies on their website, they must comply with two main pieces of legislation, GDPR and PECR, which have the similar purpose of protecting users' information, whether it is personal or company information, and having control over how that information can be used by other parties (such as for marketing purposes).   The Cookies regulations apply whether the information being processed is personal information or if it is anonymised.  However, if personal data is being processed, the obligations under GDPR also must be complied with. The basic rules on the use of Cookies are that organisations must tell individuals, in a “clear and comprehensive” way, about the use of cookies, including 
  • detailing information about the purposes of the cookies that are being used on a website;
  • explaining what the cookies are doing and why; and
  • getting the individual’s consent to store a Cookie on their device
The same rules also apply if other types of technology are used to store or gain access to information on someone’s device. This information requirement and consent gathering doesn’t need to be repeated each time an individual uses a website. However, as a number of individuals may access the same device, organisations should still regularly repeat the information giving the process at suitable intervals, so that they can evidence that all individuals will be aware and have given (or refused) their consent. Organisations may need to obtain fresh consent if their use of cookies changes over time. 

What is consent?

ICOs guidance helps organisations change their behaviour from previously non-compliant reliance on implied consent, where individuals had to “opt-out” of their use.  The regulations both require that consent must be actively and clearly given.  This may mean that the individual signs up for a mailing list or ticks a box agreeing to have their information used in a particular way.  The organisation must make it clear exactly what purpose the information will be used for (for example being added to a mailing list or shared with third parties) as giving the individual control over how they will receive any communications (e.g. text and SMS) if consent is given to receive communications. Information about consent must be made clear and easily accessible – so hiding a Cookies statement at the end of a Privacy Notice may not be sufficient unless a link to the appropriate section is given.

Recommendations

ICO has issued the following word of warning: “Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based.” We recommend that organisations carry out an audit of the use of Cookies, including looking at whether the Cookies are “essential” or “non-essential”,  and how their use is communicated to individuals. In particular, website owners are advised to maintain “Cookie walls”, where the landing page of a website doesn’t contain Cookies so that users may access initial pages before making a decision whether to proceed further. Any steps taken should be recorded, as organisations must be accountable for actions taken.  Our lawyers provide expert legal advice to your business to ensure that your documents, including your websites and contracts, are appropriate and robust. We also offer to review your terms and conditions and recommend updates and improvements to make them more effective and better suited to your business. For more information, or for advice on the use of Cookies and what steps your business should take to comply with the regime, including drafting or amending your Privacy Notice or compliance documents, please get in touch with us here.
The author of this Blog article, Rachel Robinson. Rachel Robinson has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner managed small business.

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read our latest blog posts on GDPR, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By Lawbite Team
  • November 27, 2019
Are you offering any special promotions this Christmas? Here is what you need to know

We’re on the lead up to Christmas for another year, and with purchasing numbers on the rise again, it seems as good a time as any to reassess what ...


Uncategorised, Uncategorised, Uncategorised, Uncategorised, Uncategorised, Uncategorised, Uncategorised, Uncategorised
blog image
  • By Lawbite Team
  • November 18, 2019
New Legal Health Check

Did you know that SMEs are losing more than £13.6 billion a year by failing to take care of their legal issues? We know that dealing with legal iss...


Uncategorised, Uncategorised
blog image
  • By Lawbite Team
  • June 07, 2019
LawBite has been selected as a finalist in the Best Legal Team for Early Stage Deals at the UKBAA Angel Investment Awards!

LawBite is delighted to announce that we’ve been shortlisted for Best Legal Team at the UKBAA Angel Investment Awards 2019! This Award recognises t...


Uncategorised, Uncategorised

LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk To A Lawyer

Book A Call
defend a claim

Learn more about LawBite