UK – Is the new guidance a cookie killer?
What is a cookie?
Cookies are small text files placed on your computer when you visit a website. That website can access that cookie, and recognise you, each time you look at a page on that website. These cookies fall into two categories:
- Session – These cookies are erased at the end of your browsing session.
- Persistent – These remain on your computer until the end of the expiry date for that cookie. This could be some years into the future.
This technology is important and has a number of legitimate uses, including allowing secure website access and shopping cart functionality. However, this technology can also be used to infringe users’ privacy.
What does the law say?
The current cookie law came into force in 2011 through amendments to the Privacy and Electronic Communications (EC Directive) Regulations. They only allow a website to set a cookie on a user’s computer if either:
- Strictly necessary - The cookie is used for technical purposes to allow the communication to take place or provide a service the user has requested; or
- Consent - The user has been given clear information about the purpose of the cookie and has given consent. Importantly, the law was amended at the end of March 2019 to make it clear this consent must meet the high standards in the GDPR.
If the use of a cookie results in the processing of personal data, the broad principles of the GDPR will also apply.
Behind this simple concept are a whole host of difficult legal and technical issues. Most businesses have until now relied on pragmatic ambiguity in the UK Information Commissioner’s old cookie guidance. However, the new guidance from the Information Commissioner is clear, strict and marks a significant change in approach.
How do I comply with this new guidance?
The starting point is to conduct an audit to identify what cookies are currently used and why. Some cookies may be strictly necessary. It may be possible simply to remove others altogether. This audit should include any third party cookies (to the extent possible) and other locally stored objects such as flash cookies.
Most organisations will have already done this. However, given the changes in the guidance to the way cookies are classified (see below) it is likely many organisations will need to repeat this exercise.
For which cookies do I need consent?
Consent will be needed for cookies unless they are strictly necessary. The table below summarises the position in the revised guidance which makes a number of significant amendments, particular the new distinction between session cookies and persistent cookies.
Care should be taken over cookies that are used for more than one purpose. Consent will still be needed unless all those purposes fall within the “strictly necessary” exemption.
How do I get consent?
The new guidance also imposes much stricter obligations to obtain consent, reflecting the fact that consent must meet the standards under the GDPR. Accordingly, the following practices will not provide a valid consent:
- Default to consent – A mechanism with pre-set or default option to allow cookies will not provide consent.
Importantly, the consent must be informed. That means that you must provide clear information about what cookies are used and why. If you use any third party cookies (see below), you must clearly and specifically name who the third parties are and explain what they will do with the information.
When do I need to get consent?
The guidance also clearly requires that websites obtain consent before placing any cookies on the users’ computer (unless it is strictly necessary).
This can be very difficult to achieve in practice. In some cases, it may be necessary to use an interstitial page or overlay – i.e. prevent the user from accessing the website until it has made a choice on that interstitial page or overlay.
Can I use cookie walls?
As set out above, it may be necessary to use an interstitial page or overlay to ensure cookies are not used before consent is given. However, if the cookie wall requires users to ‘agree’ or ‘accept’ the setting of cookies before they can access the website, that consent might be invalid.
The position here is not entirely clear and the guidance suggests that cookie walls might be possible for non-invasive cookies. The accompanying blog post states that “there are some differing opinions as well as practical considerations around the use of partial cookie walls and [the Information Commissioner] will be seeking further submissions and opinions on this point”.
Do I really need consent for analytics cookies?
Yes and no. The guidance states that analytics cookies are not strictly necessary and so require consent.
However, the guidance contains a highly caveated exemption to this principle; namely that while “the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individual”.
This suggests that first party cookies, such as Google Analytics, may not always need consent though this depends on the circumstances and involves a degree of risk assessment.
Do I need consent for device fingerprinting?
According to the guidelines, yes.
However, it is difficult to reconcile this with the wording of the Regulations. They apply where a person “store[s] or gain[s] access to information stored, in the terminal equipment” of a user. This clearly applies to the use of a cookie where the website either writes a new cookie onto the user’s computer or reads the value of an existing cookie from that computer.
In contrast, device fingerprinting will often involve just the passive collection of information sent by the user’s computer to access a website such as, operating system, timezone, language and screen resolution. Where such passive collection takes place it is not clear that the Regulations even apply, though this practice may still be subject to the broad principles of the GDPR.
What about third party cookies?
The new guidance extends to third party cookies; Adtech and social media cookies are expressly identified as requiring consent.
The key question is who should get that consent. At a technical level, it is the third party that “store[s] or gain[s] access to” the cookie and so it is that third party who is subject to the consent requirement. This is because all the first party website will do is instruct the user’s computer to fetch content from that third party. What content the third party provides, and whether it contains cookies, is not within the first party website’s control.
Recognising this, the guidance notes the need for the first party and third party to work together to ensure users are provided with meaningful information and appropriate consents are obtained. This reflects the parties’ likely position as joint controllers under the GDPR.
The guidance notes “this is one of the most challenging areas in which to achieve compliance … The ICO continues to work with industry and other European data protection authorities to assist in addressing the difficulties and finding workable solutions”. In particular, this issue is likely to be addressed in detail as part of the Information Commissioner’s investigation into Adtech and RTB.
How long have I got and what happens if I don’t comply?
There is no fixed timetable to bring your website into compliance with the new guidance, and her accompanying blog post appears to recognise that immediate compliance may not be possible. That post suggests that if you “[s]tart working towards compliance now …you will have nothing to fear”.
For those that do nothing she suggests that “[c]ookie compliance will be an increasing regulatory priority for the ICO in the future”. It is also remarkably easy for the Information Commissioner to identify non-compliance by just looking at your website.
Am I going to have go through this exercise again in a couple of years?
What about the UX?
When the cookie rules first were introduced in 2011, the then Information Commissioner stated:
“I am under no illusion that in the absence of further detail in the law a likely outcome is that my officials will spend a disproportionate amount of time dealing with complex complaints and enquiries that revolve around questions that do not raise genuine privacy concerns.” 
If the Information Commission’s ultimate response at that time was a healthy dose of pragmatic ambiguity, the latest guidance avoids either characterisation.
In practice, there is little evidence that the cookie rules have delivered meaningful improvements to individual privacy. Anecdotally at least, many see the endless cookies popups and prompts as a significant annoyance.
The new guidance may just aggravate this problem. The need for consent for a much wider class of cookies, such as analytics cookies, and likely need for interstitial pages before users can access a website will habituate users to automatically click on whatever button makes a cookie notice go away as quickly as possible.
The guidance itself recognises “some level of disruption may be necessary”. However, the latest fine by the Information Commissioner for breach of the GDPR demonstrates that compliance is no longer optional.
By Ben Hagyard