New ICO Cookies Guidance Published
Information Commissioner’s Office (ICO) in the UK have updated their guidance to ensure organisations better understand how the General Data Protection Regulation (GDPR) applies to cookies and similar technologies.
Since the introduction of GDPR in early 2018, there has been a great deal of uncertainty surrounding what is and what isn’t compliant. This isn’t the first time we’ve discussed cookies and compliance. Make sure to check out our 2018 post on GDPR and cookies.
The updated ICO guidance intend to help organisations apply the robust consent requirements under the GDPR to the collection of cookies. The updated guidance makes it clearer that consent to cookies should fulfil all GDPR criteria.
Much of the guidance reflects what companies are already currently doing. Some parts however are likely to have an impact, causing organisations to make changes to their current cookie practices.
Discussed in this blog are some of the guidance updates made by the ISO and how you can ensure your site’s cookies are compliant.
What are Cookies?
Before delving into the updates made to the ICO guidance, it’s important to understand what cookies are and what their purpose is. Cookies are packets of data that a computer receives and then sends back. A cookie’s intention is to help a website keep track of your visits and activity.
There are different cookies with different purposes. These include:
- Session cookies – These track your current session when actively navigating a website. This deletes itself once your session ends.
- Tracking cookies – This is used to create long-term records of multiple visits to the same site.
- Authentication cookies – These track whether a user is logged in with a username and if so, what username.
Most modern websites use cookies in some way, both for the benefit of the experience on the website and for third-party analytics use, such as Google Analytics.
Implied Consent
The current GDPR standard of consent when it comes to cookies is higher than previous legislation. Implied consent is no longer acceptable and can’t be relied on. Continuing to use a website is not classed as valid consent.
Prior to the consent, cookies and their purpose must be stated. Pre-ticked boxes similarly aren’t compliant with the current legislation.
Users visiting your website must have control over any non-essential cookies. Similarly, non-essential cookies must not be set on landing pages before a user’s consent is gained.
Cookie walls (blocking the entire site’s content until consent is given) isn’t an acceptable solution. The ICO does however understand that some parts of websites may require cookie consent and is investigating this for future guidance updates.
Clear Comprehensive Information
Long vague lists of the cookies in use on your website aren’t acceptable any more according to the ICO.
As many companies have websites that use hundreds of cookies for different, a general description of the cookies and their purposes alongside a list would be compliant.
This is more appropriate than an overload of irrelevant information. Guidance changes such as this may result in many organisations making big changes to their current cookie notices.
Third Party Cookie Responsibility
Website operators must ensure that contractual arrangements are in place for use of any third-party cookies on the platform.
When listing the third parties involved, you can’t be vague. Specifically naming and explaining what the third-party cookies do with any information must be provided.
Similarly, website operators may be responsible for the tracking technology used on third party websites.
The ICO indicated that organisations should also include social media presence references in their cookies/privacy policies.
Why is the ICO doing this?
The ICO state that they support the use of cookies on website but realise that it can’t be at the expense of legal rights. Updated guidance encourages fairness, transparency and accountability. Ultimately the ICO believes this will increase users’ trust and confidence in you.
As for what to do now, cookie audits should be conducted where necessary. Reviewing and updating cookie policies should be considered, along with benchmarking current consent collection practices against the updated guidance.
The ICO indicated that their priority is that companies comply with the current law. It’s also stated that formal enforcement action may be taken against any non-compliant companies.
Do you require any further assistance regarding compliance or how to use your data to improve the customer experience? Feel free to contact us today through the contact form below or on +353 1 804 1298.