The new guidance aims to align the ICO’s position on cookies with GDPR.
What should I do?
There are steps a business must take to ensure compliance with the new guidance:
- Say what cookies will be set and explain what the cookies do
The information provided to the data subject must cover: the cookies intended to be used and the purposes for which they will be used, plus it must be aligned with GDPR transparency standards (i.e. “concise, transparent, intelligible and easily accessible form, using clear and plain language“).
These requirements also apply to cookies set by any third parties whose technologies the online service incorporates – this would include cookies, pixels and web beacons, JavaScript and any other means of storing or accessing information on the device including those from other services such as online advertising networks or social media platforms.
- Obtain consent to store cookies on devices
- The user must take a clear and positive action to give their consent to non-essential cookies.
- Consent should be granular – the user must be provided with the ability to consent to cookies used for some purposes, but not others.
- When it comes to the use of third party cookies, one must clearly and specifically name who the third parties are and explain what they will do with the information.
- Pre-ticked boxes (or equivalents such as ‘on’ sliders) are not valid for non-essential cookies.
- Users must be provided with controls over any non-essential cookies, and the users should still be allowed to access the website if they don’t consent to these cookies, so ‘Cookie walls’ are prohibited if they prevent access to the website in general, even though the ICO is seeking further submissions and opinions on this point from interested parties.
- Non-essential cookies should not be placed on the landing page (and similarly that any non-essential scripts or other technologies do not run until the user has given their consent).
It is important to keep in mind that consent is invalid if:
- message boxes are hard to read or interact with when using a mobile device, or
- users do not click on any of the options available and go straight through to another part of your site without engaging with the consent box.
Are there any exemptions to the information and consent requirements?
Yes, there are. You do not need to comply with them for strictly necessary cookies. The concept of “strictly necessary cookies” is very limited though. The storage of (or access to) information should be essential to provide the service requested by the user and it also covers what is required to comply with any other legislation that applies. You can find some examples in the table below.
Apart from the “strictly necessary cookies” exemption, information and consent requirements neither apply for the cookies that enable the transmission of a communication over an electronic communications network.
