What’s the big deal with cookies? I’m not talking about the tasty kind. I’m talking about those digital little footprints that affect your user experience online; the things responsible for those annoying banners you can’t get rid of until you grudgingly accept the use of them, close the webpage you’re on or are faced with a cookie wall denying access to the site.
Since implementation of GDPR there’s been a mad scramble to update cookie policies in order to be compliant. For the most part, it’s all about obtaining consent but many organisations are still unaware of what this means in practice.
This is seen in the fact that sites that give you the option of providing your freely given, specific, informed and unambiguous consent in a clear way are few and far between.
However, the topic of cookies has finally hit the headlines and appears that they will no longer be ignored by the regulators. The French regulator, CNIL, has declared cookies are a top priority and the UK’s ICO has joined in by releasing its Adtech report and updated cookie guidance.
The ICO recently came under criticism for using a cookie banner on its own site, which contradicted the legislation. Perhaps this was what prompted the body to release updated guidance in this area and set the standard expected.
The legislation tells us that unless the cookies are “strictly necessary” then consent from the user is the most appropriate lawful basis to use. Historically, there has been confusion whether it follows that the lawful basis for processing under Data Protection legislation is consent or legitimate interests. Helpfully, the ICO’s updated guidance tells organisations that the most appropriate lawful basis is consent and the use of legitimate interests is an “entirely unnecessary exercise”.
The guidance does still leave some ambiguity by adding that it is still possible to rely on a different lawful basis for subsequent processing. So, it appears possible for processors receiving the data to still rely on the basis of legitimate interests. Nevertheless, the guidance does warn that implied consent, silence or inactivity are not in line with the standard outlined in the GDPR and is not a clear affirmative action. In a nutshell, as a user, you need to take clear and unambiguous action to show that you agree.
The guidance goes further by adding that even an ‘I accept’ button may not be enough to meet the standard of consent. The user must be given a genuine choice and not be pressed into clicking the consent button. It clarifies that relying on the user’s browser settings to indicate consent, is unlikely to meet the requirements of ‘consent’ or the ICO’s expectations.
The guidance also deals with cookie walls (which require the user to accept or agree to cookies before entering the site) by clarifying that this ‘take it or leave it’ approach is inappropriate and does not give the user a free choice.
The guidance implores organisations to ask, are the cookies deployed ‘strictly necessary’ for the website to function? Simply put, unless the cookies prevent the functionality of the website, the consent of the user is required.
Cleaning up the crumbs
Yet, not all regulators agree with one another. While the ICO has revised its banner, the CNIL removed its version altogether. It tells users that it will not deposit any tracking devices until the user has actively consented by going onto their cookie management module.
That aside, the fact we now have regulator guidance means that organisations would be well advised to review their cookie banners to ensure they adhere to it and meet the requirements of valid consent under the GDPR.
Written by Becky Nicholson, Data Privacy Consultant