On July 5, 2019, the UK’s Data Protection Authority (ICO) issued its “Guidance on the use of cookies and similar technologies” (the Guidance) along with a brief explanatory blog post. At the same time the ICO updated its own website cookie notice and consent, leading by example. The ICO’s blog post makes clear that cookie compliance will increasingly be a regulatory priority, and that companies should start working towards compliance now.

Background

When the General Data Protection Regulation (GDPR) became effective on May 25, 2018, it imposed new and strict obligations on companies processing personal data, including stricter conditions for obtaining valid consent. In the UK, the Privacy and Electronic Communications Regulations (PECR), which implements the EU e-Privacy Directive and will soon be replaced by the e-Privacy Regulation, complements the GDPR requirements. PECR specifically applies to the use of cookies and any similar technology that stores or accesses information on a user’s device (referred to herein collectively as cookies). It requires UK-based companies to provide certain information to individuals on the use of cookies, and sets out the rules for obtaining consent. The GDPR imposes further requirements for how personal data collected by cookies may be handled.

The Guidance acts as a detailed handbook on managing first-party and third-party cookies and sets the record straight on a number of common misconceptions. Of particular note, it makes it clear that for anything other than essential cookies, GDPR standard opt-in consent is required prior to their setting.

Consent

Consent modalities are a key focus of the Guidance. There are three key takeaways:

  1. Consent is required for all cookies except for essential cookies. The Guidance states that essential cookies are limited to those strictly necessary to communicate over an electronic communications network or provide the services requested by the user, and offers detailed examples. The Guidance stresses that analytics, social media, and advertising cookies will not qualify as essential cookies. The Guidance echoes the opinion of the ICO in its Adtech Update Report (see blog post) that all further use of personal data collected via these cookies must be pursuant to valid consent.
  2. Implied consent does not constitute valid consent. A clear and affirmative action is required. Pre-ticked boxes are not sufficient, and nor does continued use indicate consent. The ICO states that visitors must actively interact with consent boxes. Relying on current browser settings, for example, will not be sufficient. This is a departure from the approach taken by many online services, including, until recently, the ICO.
  3. The consent should include a list of third-party cookies. The ICO states that all third parties should be listed prominently, along with a description of what they will do with any personal data collected. The ICO suggests that this information should form part of the consent itself. Consent should be sought for every new third party dropping non-essential cookies. The Guidance recognizes that this is one of the most challenging areas of compliance.

Other Takeaways

The Guidance contains additional key takeaways for online service providers:

  1. The cookie rules do not just apply to websites. The ICO states that its Guidance applies to the Internet of Things, smart TVs and wearables. It also stresses that mobile apps may be caught, for example where they contain web APIs.
  2. Joint controllership may exist for companies even outside of their own online services. The ICO concludes that if a website owner links to a page on a social media platform and that platform provides statistics or aggregated information back to the website owner, they are joint controllers with respect to that activity. As a joint controller, the website owner must provide sufficient transparency regarding the data processing, including detailing the methods for controlling non-essential cookies on the social media platform. Joint controllership is currently the focus of much speculation, so how this will be implemented in practice is yet to be seen.
  3. Cookie walls are not necessarily the answer. The Guidance is clear that cookie walls may only be used in limited circumstances, and likely only when the use of such wall is not intended to require or influence users to agree to their personal data being used as a condition to access to a service. The accompanying blog introduction confirms that further opinions and submissions are being sought. In contrast, the CNIL does not allow the use of cookie walls.

Enforcement

Companies should take note and, if they have not already done so, conduct a comprehensive audit on their cookie usage. The Guidance provides practical steps on how to do so. The ICO is clear that any action taken will be “proportionate and risk based”: this will only be demonstrated if an audit has been conducted, and documented steps have been taken towards compliance with the Guidance. This is in contrast to the CNIL approach (also announced recently: see blog post), which establishes a 12-month grace period for some (but not all) cookie requirements. The ICO also states that the use of non-intrusive, first-party analytics cookies without the requisite consent will not be an enforcement priority, but does not suggest that companies should not worry about compliance. This will no doubt leave companies seeking clarity unsure of how market trends around such cookies will develop.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will monitor closely developments related to adtech in Europe. For more information, please contact Cédric Burton, Jan Dhont, Laura de Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm’s privacy and cybersecurity practice.

Rossana Fol contributed to the preparation of this WSGR post.