Cookie notifications and consent post-GDPR

In this follow-up from our previous article, we’ll look at:

  • The ICO’s updated guidance (July 2019) on the use of cookies
  • The new requirements for user consent
  • The need for Cookie Control Mechanisms on your website

Learn more

The background – PECR and GDPR, cookie notifications and consent

Back at the start of 2018, and before the introduction of the now infamous General Data Protection Regulation (GDPR), we wrote an article on the application of the new regulation to the existing rules on the use of cookies on small business websites.

We updated that article a number of times as some of the murkier areas of doubt became (slightly) clearer, and if you’re looking for a bit of background on the issue – including why it might be relevant to you if you’re running a website for your business – we still think it’s worth a read.

Time has now passed since the implementation of the GDPR, and we remain in what I referred to at the time as a ‘limbo’ period where the rules about cookies are mainly governed by the Privacy of Electronic Communications Regulation (or ‘PECR’, which I like to amusingly to pronounce ‘pecker’), which should, by rights, have been updated by now in order to dovetail better with GDPR.

Well, it hasn’t been updated yet, so we’re still in a situation where the specific rules about cookies come from PECR, but there are ‘bigger picture’ principles from GDPR that in some ways conflict, making life distinctly complicated.

Some clarity

Well, back in July of 2019, we finally got some clarity on the specific issue of the use of cookies via updated guidance from the Information Commissioner’s Office (ICO). And as the ICO are the UK regulator on all things data protection, that should have been a welcome update.

Except, it wasn’t.

Or at least, it wasn’t what a lot of people were hoping for, because the updated guidance is a significant departure from the ICO’s previous guidance on the matter – and it has real implications for people running websites.

What’s changed?

The main point to note is the ICO’s position on the type of consent that required before you can legitimately use non-essential cookies.

In general terms, you have always needed the consent of your website visitors to place cookies on their device, but in the past the concept of ‘implied consent’ was deemed to be ok.

Under implied consent, you could use the old favourite get-of-jail-free-card that said “This website uses cookies. By using the site we assume that you accept our use of cookies”.

So, in fairness, implied consent really boiled down to ‘We use cookies. Get over it”.

We were just notifying the user that cookies were in use – and, chances are, they had already been set by the time the user had seen the notification.

So the purists would probably be justified in saying that there wasn’t any real consent there at all.

Implied consent is now dead. Finito.

The level of consent required for the use of cookies is now the same specific, informed, freely-given consent that is defined within GDPR:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

This means that in all cases where we do something on our website that requires the user’s consent, we must get the user to make some specific, positive action to indicate that consent – and we must do so before the event requiring consent takes place.

This boils down to one important point – which is very relevant to how we design and build websites now and, more to the point, how we may have to redesign existing sites:

Technically, we cannot set any non-essential cookies when people first land on our websites. We have to implement some form of ‘cookie control mechanism’ which blocks all non-essential cookies unless and until the user expressly says that it’s ok.

The exception

For every good rule, there’s always a good exception.

I’ve been careful so far to use the expression ‘non-essential’ cookies when referring to the requirement for specific advanced consent.

That’s because there is an exception to the consent requirement that applies to ‘essential’ cookies. More correctly, cookies that are ‘essential to provide an online service at someone’s request’.

This means that cookies that perform functions like remembering the contents of a shopping cart, or providing security in an online banking transaction – without which the process could not work – are exempt from the consent requirement.

What does this mean for website owners?

For many website owners, this will mean that a review of their site and technical changes will be required if they are to be compliant with the relevant regulations.

It would be pretty unusual for a website not to use any form of cookies, and your site will almost certainly use them to some extent if:

  • They are built on a Content Management System (CMS) framework such as WordPress, or one of the website builder products from the likes of Wix or Godaddy;
  • The site uses Google Analytics (or indeed most other analytics providers)
  • The site has embedded any form of social media content such as Twitter or Facebook timelines, YouTube videos, or social sharing features;
  • You are using social marketing tools such as Facebook pixel, Google Ads or any other mechanism that tracks user behaviour across your site.

To be compliant with the regulations, sites would need some form of cookie control mechanism that ensures that the cookies associated with those functions were not set unless and until the visitor gave their express consent.

A reality check

So, does this mean that businesses and website owners are rushing to adapt their sites so as to be compliant with the new ICO guidance?

In practice, and at the time of writing this, no.

The majority of sites out there are not strictly (or in some cases, even nearly) compliant.

Sure, to a certain extent that’s because it will take time for website owners (and even some designers, developers and web support companies) to fully realise what is required of them.

But there are those who are aware are taking an ‘educated risk’ in not complying with the regulations due to the perceived detrimental impact on the user experience, and the perceived low likelihood of actually being penalised by the regulator.

And I can understand that approach.

Not advocating it, obviously.