Information Commissioner's Office
Blog: Cookies – what does ‘good’ look like?
Blog posted by: Ali Shah, Head of Technology Policy, 03 July 2019.
Since the General Data Protection Regulation (GDPR) came into effect last May, there has been a great deal of interest in how it applies to cookies and similar technologies.
Cookies can seem a complex issue. The rules on their use are in the Privacy and Electronic Communications Regulations (PECR), not the GDPR. However, some of PECR’s key concepts now come from the GDPR – such as the standard of consent.
The ICO supports innovation in the digital economy, but this should be side-by-side with privacy. Being fairer, more transparent and accountable to your users will increase their trust and confidence in you – and that benefits everyone.
In this latest myth-busting blog, I will clear up some of the uncertainty that’s developed around cookies since last year.
Fact: No you can’t, because the GDPR standard of consent is much higher than under previous legislation. This means that implied consent is no longer acceptable – whether it’s for cookies, or for processing personal data. In practice, this means:
- your users must take a clear and positive action to consent to non-essential cookies;
- your websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies;
- pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies;
- your users must have control over any non-essential cookies; and
- non-essential cookies must not be set on landing pages before you gain the user’s consent.
Consent is not required for cookies that are defined as ‘strictly necessary’ – those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential - or that are only essential for your own purposes - will still require consent.
Any non-essential cookies, including third party cookies used for the purposes of online advertising or web analytics, require prior consent to the GDPR standard. Our guidance explains in more detail how this applies to cookies.
Myth 2: Analytics cookies are strictly necessary so we do not need consent
Fact: While we recognise that analytics can provide you with useful information, they are not part of the functionality that the user requests when they use your online service – for example, if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.
Myth 3: We can use a cookie wall to restrict access to our site until users consent
Fact: Using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard. However, we recognise there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.
Myth 4: We can rely on legitimate interests to set cookies, so we do not need consent
Fact: PECR always requires consent for non-essential cookies, such as those used for the purposes of marketing and advertising. Legitimate interests cannot be relied upon for these cookies.
Myth 5: The ICO wants online services to stop using cookies and similar technologies
Fact: The ICO supports innovation but that can’t always be at the expense of people’s legal rights. Cookies and similar technologies are important in ensuring the smooth running and convenience of much of the digital world. It is simply a matter of using them in a legally compliant way.
Our updated guidance is based on the basic information rights principles of fairness, transparency and accountability. Being fairer, more transparent and accountable to the people who use your website will increase their trust and confidence in you. And that benefits everyone.
Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.
Ali Shah is the ICO’s Head of Technology Policy responsible for ensuring the ICO can respond to complex societal challenges presented by emerging technology developments.
Latest News from
Information Commissioner's Office
Former motor industry worker ordered to pay £25,500 from proceeds of data theft18/07/2019 11:32:00
A motor industry employee who was sentenced to six months in prison in November 2018 for accessing personal data without permission, has been ordered to pay a £25,500 confiscation order in a case brought by the Information Commissioner’s Office (ICO).
Speech: The future of online advertising regulation12/07/2019 13:47:00
Simon McDougall, Executive Director for Technology Policy and Innovation’s speech at the Westminster Media Forum Keynote Seminar: The future of online advertising regulation.
Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach10/07/2019 12:20:00
Statement given yesterday in response to Marriott International, Inc’s filing with the US Securities and Exchange Commission that the Information Commissioner's Office (ICO) intends to fine it for breaches of data protection law.
Blog: Live facial recognition technology - data protection law applies10/07/2019 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 09 July 2019.
ICO publishes annual report covering an ‘unprecedented’ year09/07/2019 15:51:00
The public has woken up to the potential of their personal data, the Information Commissioner has said as the ICO’s annual report for 2018-19 was published today. Elizabeth Denham also said it covered an ‘unprecedented’ year for the regulator.
ICO statement: Intention to fine British Airways £183.39m under GDPR for data breach08/07/2019 13:10:00
Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
Former company director believed to have profited by more than £1.4 million after selling personal data illegally01/07/2019 12:25:00
A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002.
ICO searches Liverpool addresses as part of investigation into suspected illegal acquisition and sale of personal data28/06/2019 15:20:00
The Information Commissioner’s Office (ICO) yesterday (27 June) searched two addresses in Liverpool, as part of an ongoing investigation into the acquisition and sale of illegally obtained personal data.