New guidance on website cookies paves the way for fines and enforcement notices

Although ‘Cookie laws’ were introduced in 2011, they were badly drafted leaving them unenforced and largely ignored by website owners. Successful complaints about tracking cookies under GDPR change that. Action is now required for most website owners or they could face enforcement action from the Information Commissioner.

Following the lead set by other European regulators (notably the Dutch), the ICO have published helpful guidance on the use of cookies and where consent is needed.

The headline is that you do not need consent for cookies that are essential to the operation of your website, but you do need consent for any non-essential cookies. ICO are at pains to make it explicitly clear that tracking and advertising is always non-essential.

The significant change is that valid consent follows the same rules as all other consent under GDPR and so must be explicitly given, never assumed and as easy to withdraw the consent as it was to give it. Additionally you can’t withhold services unnecessarily if you don’t give consent, challenging the ‘cookie wall’ approach taken by some websites.

If you run a website that uses cookies for analytics and tracking, then you’ll need to find a way of collecting compliant consent from your data subjects. To use tracking and advertising cookies without evidence of compliant consent will be in breach of GDPR & PECR and will leave you open to enforcement action from the ICO when the inevitable complaint is made by a data subject.

Can I avoid consent? - what about Legitimate Interests?

Under GDPR Consent is only one of six legal basis that you can rely on for processing - if you can find a legal basis other than Consent then this would negate the need to hit the very high standard of compliant consent.

Of the six basis the only one with potential grounds is Legitimate Interests. This enables you to process data without consent where it is a low risk to privacy, and in line with the normal activity that would be expected by the data subject.

Using legitimate interest requires you to make a case and document your thinking (a Legitimate Interests Assessment), to balance your legitimate interests against the competing interests of the data subject’s privacy. This case can be challenged by a data subject, the arbitrator being the relevant governing body (in the UK the ICO). The issue here is that the ICO has made it’s position clear on the matter, pre-emptively undermining any Legitimate Interest argument. The grounds for this goes back to the other law in effect - PECR (Privacy in Electronic Communications Regulation), specifically the much derided ‘Cookie Law’. This regulation states that consent is required, all GDPR is bringing is a newly refined definition of what valid consent actually looks like. To find a GDPR workaround would still leave you in breach of PECR.

Although this will be a pain for anyone involved in marketing, there are legitimate privacy issues at stake. The implications of accepting the status quo in a modern connected world are significant for us all - effectively allowing anyone to track and and profile us and our behaviours 24/7 without our permission. Although many people may be happy with this, it’s only right that we all get the chance to state that explicitly.

There are off the shelf tools that can assist with compliance at the moment. The ICO itself makes us of Cookie Control (https://www.civicuk.com/cookie-control), but there are other tools out there. There will be a better solution too. This challenge is universal to every website, and so the solution will eventually be baked into the browser experience. Expect the browser makers to standardise the control, improving user experience and reducing the development overhead of every website implementing it’s own technical solution.

With 20 years experience in online, much of that designing and building online digital services I’m well place to help you navigate this if your situation is a bit more complicated. If you work with sensitive data in marketing or an online service you’ll have the added challenges of complying with the requirements of the Data Protection Act.

I can help you through the exercise to identify the risks (Data Protection Impact Assessment) and plan appropriate mitigating actions to bring a defensible level of compliance with the various laws. Drop me an email hello@oliverwestmancott.com or phone on 020 3393 1899.