18 September 2019
In many ways the updated guidance doesn’t tell us much more than we already knew, but it does provide useful confirmation. The guidance is also an indication of where the ICO’s regulatory scrutiny might (and might not) lie and, on this note, it is interesting that the updated guidance coincided with the ICO updating its own cookie control mechanism which didn’t previously meet the standards set out in the updated guidance (after all, those in glass houses shouldn’t throw stones).
It therefore remains to be seen whether the ICO is gearing up to enforce an area of law which to date has not been a priority. Meanwhile here are the headline points.
2. Analytics and advertising cookies are not exempt: no consent is required for ‘strictly necessary cookies’, but this exemption is interpreted narrowly - analytics cookies are not essential to functionality of the website. However, the ICO has indicated (but not promised) that it will not take action for non-compliance if the particular analytics cookie is not ‘privacy intrusive’ (hint – proceed with caution when using analytics cookies provided by third party tech giants). Likewise, and while it may be obvious to those of us that eat cookies for breakfast, advertising cookies are not ‘necessary’, even if the website operator relies on advertising income to provide its website.
3. Transparency and consent go hand-in-hand: consent will only be valid if it is informed, so make sure to provide users with clear and comprehensive information in an easy to digest (last pun, that’s a promise) format, including naming third parties that set cookies. No matter how sophisticated the opt-in mechanism, consent will not be achieved if this step is missed.
5. Email tracking pixels are caught: pixels (and other tech) embedded within emails can tell marketers whether emails have been read and can collect other useful information. The guidance confirms that the usual consent rule is engaged but unfortunately doesn’t offer any practical tips for overcoming this rather tricky hurdle.
6. Consent through browser settings can’t be relied on: the ICO accepts that this might be possible in the future but for now it won’t work because it cannot be assumed that each website visitor can configure their settings, and not everyone will be using the same version or type of browser.
7. Consent doesn’t last forever: how long should cookies last? There’s no one-size-fits all approach but, as always, context is everything. However, as a general principle, the duration needs to be proportionate and the duration should be necessary to achieve the purpose for which the cookie is set.
8. Respect user choice: it’s a point that is sometimes overlooked by tech teams – don’t use non-essential cookies on the website landing page or allow any non-essential technologies to run until after the user has given consent. No matter how compliant the website appears to be, all the good work will be undone if non-essential technologies are used regardless of the user’s choice.