Earlier this month, the Information Commissioners Office (ICO) issued updates to its Cookie guidance to offer greater clarity on the do’s and don’ts for website owners and developers. A pretty complex issue, the use of Cookies has been debated since GDPR was introduced last year. In fact, Cookies use falls under Privacy and Electronic Communications Regulations (PECR) technically, yet also within the scope of shared principles with GDPR.
Read the full guide: Guidance on the use of Cookies and similar technologies.
The ICO insist that for some there will be no changes to make, but others have a long way to go to achieve compliance. This is in part blamed by the lack of clarity surrounding when and where consent is given for Cookies. Some are essential for the delivery of the service and it is not these that the updates apply to. The trick is knowing the difference.
What type of Cookies require consent and how can you tell?
Under GDPR standards, the requirement for consent is far stricter than previously under PECR and this is one area that has been debated hotly. It is rumoured that PECR will update in line with GDPR over the next few years or sooner, but as yet there is still a crossover.
Many still believe that implied consent is enough. This is not correct, as active consent to non-essential Cookies is the general rule – this means no pre-filled forms or tick boxes to untick if consent is not given. Visitors must be guided to actively give consent and manually tick those boxes. This is just an example, as there are many, many more possible variants within the guidelines, such as the non-compliant, yet still popular ‘Cookie wall’ which tells you that by continuing to the site you agree to its Cookie policy – no more.
ICO has updated its Cookie consent policy and displayed it as the epitome of ‘good Cookies policy’. We’ve displayed it here to share it with you.
The general rule of thumb, it appears, is that unless the Cookies are essential – i.e. they’re needed for core functionality and security – then you need to seek permission.
This also includes analytics Cookies, which are not part of the essential Cookies group. It also encompasses other types of Cookies, such as online identifiers like fingerprinting accessibility for devices, pixel tags and MAC addresses.
What can you do to meet Cookies guidance and comply?
While ICO understands the importance of Cookies, it is firm in the belief that data privacy and protection is paramount. Under both PECR and GDPR, this is the core issue.
It is recommended that you carry out a ‘Cookie audit’ and identify, assess and confirm the purpose of your Cookies, where they link to and where data is stored. Then you can clarify where you need to tighten up your permissions.
As a general set of guidelines, the ICO say:
- your users must take a clear and positive action to consent to non-essential cookies
- your websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies
- pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies;
- your users must have control over any non-essential cookies
- non-essential cookies must not be set on landing pages before you gain the user’s consent.
Can we help?
Here at Averma, we’re used to the ever-changing online landscape and carefully research new releases, updates and compliance guidelines for our clients. We make sure we stay up-to-date, so you don’t have to. Talk to us today about Cookies and we’ll assess your online presence to help you stay compliant.
