How does the Cookie crumble? ICO Guidance on Cookies

The Information Commissioner’s Office (ICO) has published guidance on Cookies and similar technologies, in particular, the use of “non-essential” Cookies”. This is relevant to organisations who operate an online service, such as a website or a mobile app, so if you have one we recommend you to keep reading. This blog post looks at the scope of an organisation’s use of Cookies in light of privacy regulations, in particular, the General Data Protection Regulations (GDPR) and the Privacy and Electronic Communications Regulations (PECR).    

GDPR protects personal information about individuals and gives the individual rights to control how their data is used. Among other things, PECR relates to how organisations can make electronic communications, including sending marketing emails or text messages or tailored online advertising.  Both pieces of legislation are regulated by the Information Commissioner’s Office, and requires organisations to inform individuals how their data is used.    

A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that the user’s device and store some information about the user’s preferences or past actions. The rules apply to “non-essential” Cookies, which include advertising cookies or those set by third parties.  There are exceptions to the legislative requirements, for example for cookies that are essential to provide an online service at someone’s request.  These types of Cookies are called session cookies and must be “strictly necessary” where a cookie is either necessary for technical purposes to allow communication to take place, or to provide a service the user has requested. Usual examples of “essential” cookies are those used to help users remember what’s in their online basket, or to ensure security in online banking, or a security cookie for a requested service.

If an organisation is using Cookies on their website, they must comply with two main pieces of legislation, GDPR and PECR, which have the similar purpose of protecting users' information, whether it is personal or company information, and having control over how that information can be used by other parties (such as for marketing purposes).   The Cookies regulations apply whether the information being processed is personal information or if it is anonymised.  However, if personal data is being processed, the obligations under GDPR also must be complied with. The basic rules on the use of Cookies are that organisations must tell individuals, in a “clear and comprehensive” way, about the use of cookies, including 

The same rules also apply if other types of technology are used to store or gain access to information on someone’s device. This information requirement and consent gathering doesn’t need to be repeated each time an individual uses a website. However, as a number of individuals may access the same device, organisations should still regularly repeat the information giving the process at suitable intervals, so that they can evidence that all individuals will be aware and have given (or refused) their consent. Organisations may need to obtain fresh consent if their use of cookies changes over time. 

ICOs guidance helps organisations change their behaviour from previously non-compliant reliance on implied consent, where individuals had to “opt-out” of their use.  The regulations both require that consent must be actively and clearly given.  This may mean that the individual signs up for a mailing list or ticks a box agreeing to have their information used in a particular way.  The organisation must make it clear exactly what purpose the information will be used for (for example being added to a mailing list or shared with third parties) as giving the individual control over how they will receive any communications (e.g. text and SMS) if consent is given to receive communications. Information about consent must be made clear and easily accessible – so hiding a Cookies statement at the end of a Privacy Notice may not be sufficient unless a link to the appropriate section is given.

ICO has issued the following word of warning: “Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based.” We recommend that organisations carry out an audit of the use of Cookies, including looking at whether the Cookies are “essential” or “non-essential”,  and how their use is communicated to individuals. In particular, website owners are advised to maintain “Cookie walls”, where the landing page of a website doesn’t contain Cookies so that users may access initial pages before making a decision whether to proceed further. Any steps taken should be recorded, as organisations must be accountable for actions taken.  Our lawyers provide expert legal advice to your business to ensure that your documents, including your websites and contracts, are appropriate and robust. We also offer to review your terms and conditions and recommend updates and improvements to make them more effective and better suited to your business. For more information, or for advice on the use of Cookies and what steps your business should take to comply with the regime, including drafting or amending your Privacy Notice or compliance documents, please get in touch with us here.

The author of this Blog article, Rachel Robinson. Rachel Robinson has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner managed small business.