The Information Commissioner's Office (ICO) has issued new guidance regarding the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), known more simply as the “cookie law”, following the introduction of GDPR last year. PECR establish that the only valid legal basis for communicating with a person electronically or remotely is if you have that person’s consent to do so. In particular, PECR apply to the use of cookies by websites.
GDPR introduced a new definition of “consent” in May 2018 and since then there has been a question as to what approach the ICO would take to some common practices in relation to many organisations’ websites. The ICO has now issued some guidance, and at the same time changed the way its own website works.
The ICO confirmed, as many suspected, that since “consent” was the only valid legal basis for collecting cookies online under PECR, any references to using cookies in the legitimate interests of a website operator are mistaken. Furthermore, it is no longer acceptable to rely on “implied consent” in relation to the use of non-essential cookies. This means that all of the following are now likely to be regarded as non-compliant: reliance on browser settings as evidence of consent, statements such as “continued use of this website will be taken as consent to our use of cookies”, and the use of pre-ticked or recommended boxes.
Perhaps surprisingly, the use of analytics is regarded as a non-essential cookie and even though the information may be anonymous, the ICO require that consent should be obtained before analytics cookies are obtained. Basically, the ICO have taken the view that because analytics cookies do not affect the functionality of the website, they are not essential.
The key instructions are that users of a website should be put in control of what cookies are used. Websites must be clear about what non-essential cookies are used and what they do.
The ICO state that the use of cookies will be an “increasing regulatory priority” but their approach to regulation shall be proportionate. The ICO state that some website operators may have little to do while others may have much to do. The message to them is “start now, conduct a cookie audit and document your decisions and you will have nothing to fear”.