The background – PECR and GDPR, cookie notifications and consent
We updated that article a number of times as some of the murkier areas of doubt became (slightly) clearer, and if you’re looking for a bit of background on the issue – including why it might be relevant to you if you’re running a website for your business – we still think it’s worth a read.
Time has now passed since the implementation of the GDPR, and we remain in what I referred to at the time as a ‘limbo’ period where the rules about cookies are mainly governed by the Privacy of Electronic Communications Regulation (or ‘PECR’, which I like to amusingly to pronounce ‘pecker’), which should, by rights, have been updated by now in order to dovetail better with GDPR.
Well, it hasn’t been updated yet, so we’re still in a situation where the specific rules about cookies come from PECR, but there are ‘bigger picture’ principles from GDPR that in some ways conflict, making life distinctly complicated.
Except, it wasn’t.
Or at least, it wasn’t what a lot of people were hoping for, because the updated guidance is a significant departure from the ICO’s previous guidance on the matter – and it has real implications for people running websites.
The main point to note is the ICO’s position on the type of consent that required before you can legitimately use non-essential cookies.
In general terms, you have always needed the consent of your website visitors to place cookies on their device, but in the past the concept of ‘implied consent’ was deemed to be ok.
We were just notifying the user that cookies were in use – and, chances are, they had already been set by the time the user had seen the notification.
So the purists would probably be justified in saying that there wasn’t any real consent there at all.
Implied consent is now dead. Finito.
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
This means that in all cases where we do something on our website that requires the user’s consent, we must get the user to make some specific, positive action to indicate that consent – and we must do so before the event requiring consent takes place.
This boils down to one important point – which is very relevant to how we design and build websites now and, more to the point, how we may have to redesign existing sites:
Technically, we cannot set any non-essential cookies when people first land on our websites. We have to implement some form of ‘cookie control mechanism’ which blocks all non-essential cookies unless and until the user expressly says that it’s ok.
For every good rule, there’s always a good exception.
I’ve been careful so far to use the expression ‘non-essential’ cookies when referring to the requirement for specific advanced consent.
That’s because there is an exception to the consent requirement that applies to ‘essential’ cookies. More correctly, cookies that are ‘essential to provide an online service at someone’s request’.
This means that cookies that perform functions like remembering the contents of a shopping cart, or providing security in an online banking transaction – without which the process could not work – are exempt from the consent requirement.
What does this mean for website owners?
For many website owners, this will mean that a review of their site and technical changes will be required if they are to be compliant with the relevant regulations.
It would be pretty unusual for a website not to use any form of cookies, and your site will almost certainly use them to some extent if:
- They are built on a Content Management System (CMS) framework such as WordPress, or one of the website builder products from the likes of Wix or Godaddy;
- The site uses Google Analytics (or indeed most other analytics providers)
- The site has embedded any form of social media content such as Twitter or Facebook timelines, YouTube videos, or social sharing features;
- You are using social marketing tools such as Facebook pixel, Google Ads or any other mechanism that tracks user behaviour across your site.
To be compliant with the regulations, sites would need some form of cookie control mechanism that ensures that the cookies associated with those functions were not set unless and until the visitor gave their express consent.
A reality check
So, does this mean that businesses and website owners are rushing to adapt their sites so as to be compliant with the new ICO guidance?
In practice, and at the time of writing this, no.
The majority of sites out there are not strictly (or in some cases, even nearly) compliant.
Sure, to a certain extent that’s because it will take time for website owners (and even some designers, developers and web support companies) to fully realise what is required of them.
But there are those who are aware are taking an ‘educated risk’ in not complying with the regulations due to the perceived detrimental impact on the user experience, and the perceived low likelihood of actually being penalised by the regulator.
And I can understand that approach.
Not advocating it, obviously.