The Three C’s – Cookies, Consent and Compliance

The GDPR and ePrivacy standards such as PECR (Privacy and Electronic Communications Regulations) require businesses and organisations to inform visitors about cookies and tracking technologies on their websites and provide users with choice and control over their preferences.

However when it comes to cookie compliance there are many myths out there that you can rely on implied consent for the use of cookies, but the simple fact is you can’t. This is because the GDPR standard of consent is much higher than under previous legislation, meaning that implied consent is no longer acceptable, whether it’s for cookies, or for processing personal data.

One myth is that Consent is not required for cookies that are defined as ‘strictly necessary’ those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential, or that are only essential for your own purposes – will still require consent.

Another is that we do not need consent for Analytics cookies as they are strictly necessary. Whilst we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your website – for example, if you didn’t have analytics running, the user could still be able to access your website. This is why analytics cookies aren’t strictly necessary and so require consent.

Further, we can use a cookie wall to restrict access to our site until users consent. Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard.

Any non-essential cookies, including third-party cookies used for the purposes of online advertising or web analytics, also require prior consent to the GDPR standard.

Finally, we can rely on legitimate interests to set cookies, so we do not need consent. PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.

What does this really mean in practice:-

  • your users must take a clear and positive action to consent to non-essential cookies;
  • your websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies
  • pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies;
  • your users must have control over any non-essential cookies; and
  • non-essential cookies must not be set on landing pages before you gain the user’s consent.

So how you do respond as a business or organisation, a sensible starting point would be to conduct a full cookie audit, this will allow you to understand the full range of first and third-party cookies being used and the purposes for which those technologies are being deployed. As part of this audit, you should carefully identify between those cookies which will trigger the PECR consent requirement and those which could defensibly benefit from one of the two categories of exemption.  Thereafter, in the majority of cases, it is likely that remedial work will be required to both the consent mechanism itself, as well as to the underlying cookie policy or notice.

The ICO has, unsurprisingly, confirmed that its approach to enforcement will prioritise the use of cookies which are perceived to cause a high level of intrusiveness – for which we can read those that support user tracking, advertising and behavioural profiling, rather than those used for general analytics or to improve the look or feel of a website. However, any action would be proportionate and risk-based.

Cookies and similar technologies are important in ensuring the smooth running and convenience of much of the digital world. It is simply a matter of using them in a legally compliant way. Remember the basic information rights principles of fairness, transparency and accountability. Being fairer, more transparent and accountable to the people who use your website will increase their trust and confidence in you. And that benefits everyone.

CyberCrowd can help you towards swift cookie compliance, we undertake in-depth cookie audits as part of a wide range of data protection services.