What You Need to Know About the ICO Cookies Update
Posted by: Joe Towner
Since the introduction of GDPR last year, the use of Cookies has been a subject of hot debate. This is because although Cookies use comes under PECR guidance, it also technically shares principles with GDPR. ICO has recently decided to clarify the issue and here we are.
ICO released clearer guidelines last month for developers and website owners, also updating its own Cookies policy to be used as a model. Download or read the full guidelines (Guidance on the use of Cookies and similar technologies) at ICO here.
Who will be affected by the update and how?
Some types of businesses will be unaffected, and others will have major changes to make to Cookies policies and the way in which consent is obtained. There are different types of Cookies and some are necessary for service delivery. The necessary or essential type (security, functionality) won’t be affected by the update. Under GDPR and PECR the problem has been a lack of real, informative advice and clarity about where, when and why consent is given for which types of Cookies – confused? Exactly.
The upshot is that unless the Cookies you are using are essential for security or core functionality, then you need permission for them. This includes identifiers (fingerprinting for accessibility) and analytics Cookies, which are non-essential. You also need to be clear about how you ask for permission too. This has also been clarified under the updated guidelines.
Why implied consent isn’t good enough anymore
It is a common misconception that implied consent is adequate. It really isn’t.
Users must actively give consent under the guidelines. This means that tick boxes cannot be pre-filled, with users having to untick the boxes to remove consent, for example. The ‘Cookie wall’ is also non-compliant and this has been addressed in the guidelines.
It has also got to be made clear what the consent is for, why it is needed and what type of Cookies are being used.
ICO updated its own policy and this slides in from the left straightaway. They’ve created it as a model to further illustrate the new guidelines.
Rumour suggests that PECR regulations will update to GDPR standards at some point, but for now at least there is a little more clarity.
How you can improve your Cookies permissions
First, you’ll need to do a complete audit of your current Cookies. This should include:
- The purpose
- The link
- Data storage
The crossover between PECR and GDPR is where the issue lies – this is in data protection and privacy. ICO hold this as the core value and has released a general set of rules and guidelines in short:
- your users must take a clear and positive action to consent to non-essential cookies
- your websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies
- pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies;
- your users must have control over any non-essential cookies
- non-essential cookies must not be set on landing pages before you gain the user’s consent.
Let J&L help
We keep on top of updates and compliance, so you don’t have to. Talk to us about a Cookies audit and let us help you stay ahead.