The Information Commissioner’s Office (ICO) has recently clarified their position on cookies and how they are affected by the General Data Protection Regulation (GDPR) and Privacy & Electronic Communications Regulation (PECR) 2003.

We’re always here to help the sector with advice and support around Cookies and all things data, and this is what our friends at Native’s said way back in 2012. 

But this most recent update finally answers the question many marketers have been dying to know in this post-GDPR world we’re living in: What do we need to do about cookies?

Before this update, PECR required websites to notify and gather some kind of consent from users to store cookies in their browsers. There were many interpretations of this across the net; however, the most common was some form of the ‘cookie banner’. This usually contained a notice that cookies would be used, and varying degrees of control given to users, ranging from a ‘click OK to accept’ through to a ‘by continuing to use this website, you are consenting to cookies being stored in your browser for reasons.’

In the lead-up to GDPR being enforced (still have questions in regards to GDPR? Fear not) many marketers were wondering if and when the Privacy and eCommunications Directive would be updated, considering the plan was to align the ePrivacy directive with GDPR harmoniously, considering how closely intertwined the respective areas were. Unfortunately, the ePrivacy regulation is still meandering through the European Union legislative system and is not expected to be enforced this year due to the recent European Parliament Elections and newly selected Commission.

This presented a problem for many marketers, as the processing of information stored in cookies is a crucial element of marketing strategies, and whilst the GDPR was leaning in one direction (whilst also threatening hefty fines), the existing Privacy and Electronic Communications Regulation (PECR) 2003 had a more relaxed position and did not conclusively say what type of consent was needed to place cookies on a browser.

The recent clarification makes it clear that a site needs consent to place cookies on a user’s browser if that cookie is not necessary for the functioning of the website. Furthermore, the consent that is required is to the same standard as GDPR.

That means that consent for cookies must be freely given; specific; unambiguous; informed, and must include a clear affirmative action. 

But that’s not all. Generally, if you are collecting and processing data that does not constitute personally identifiable information, then that collection is not in-scope of the GDPR and may require no legal basis to collect. However, whether or not your cookies are collecting PII is irrelevant under PECR. If they are doing more than enabling the website to function, they must have consent, and that consent must be to the same standard as GDPR.

How does this affect us?

Well, first things first, it’s time for the Cookie Banner to evolve. With the new ruling, the Cookie Banner you present to your users needs to be sophisticated enough to ascertain informed consent, and provide users with adequate information regarding your Cookie policy. No longer is it enough to just announce you are using Cookies and users clicking “ok” or “accept” and continuing onto the site acquires that consent… Which the majority of users just click ‘accept’ as quickly as possible to simply remove it’s annoying presence from their screen, anyway. With the new regulations surrounding cookies, it is now necessary to have a much more transparent stance on how you use cookies, and our friends from Student Hut are the perfect example who are well within the new guidelines. Want to see what the teacher pets (Sorry Student Hut) have done? Find it here.

Consent for cookies must be freely given; specific; unambiguous; informed; and must include a clear positive, affirmative action. Consent ascertained for Cookie use must be to the same standard as to what is required for GDPR. 

If your marketing strategy involves cookies at any stage, you must ensure that your cookie usage is compliant. This blog post should not be used as legal advice, if you are unsure if your cookie policy or cookie banner is not compliant, you should consult a legal professional. More information can be found here.