The Information Commissioner’s Office (ICO) has recently clarified their position on cookies and how they are affected by the General Data Protection Regulation (GDPR) and Privacy & Electronic Communications Regulation (PECR) 2003.
We’re always here to help the sector with advice and support around Cookies and all things data, and this is what our friends at Native’s said way back in 2012.
But this most recent update finally answers the question many marketers have been dying to know in this post-GDPR world we’re living in: What do we need to do about cookies?
Before this update, PECR required websites to notify and gather some kind of consent from users to store cookies in their browsers. There were many interpretations of this across the net; however, the most common was some form of the ‘cookie banner’. This usually contained a notice that cookies would be used, and varying degrees of control given to users, ranging from a ‘click OK to accept’ through to a ‘by continuing to use this website, you are consenting to cookies being stored in your browser for reasons.’
In the lead-up to GDPR being enforced (still have questions in regards to GDPR? Fear not) many marketers were wondering if and when the Privacy and eCommunications Directive would be updated, considering the plan was to align the ePrivacy directive with GDPR harmoniously, considering how closely intertwined the respective areas were. Unfortunately, the ePrivacy regulation is still meandering through the European Union legislative system and is not expected to be enforced this year due to the recent European Parliament Elections and newly selected Commission.
This presented a problem for many marketers, as the processing of information stored in cookies is a crucial element of marketing strategies, and whilst the GDPR was leaning in one direction (whilst also threatening hefty fines), the existing Privacy and Electronic Communications Regulation (PECR) 2003 had a more relaxed position and did not conclusively say what type of consent was needed to place cookies on a browser.
The recent clarification makes it clear that a site needs consent to place cookies on a user’s browser if that cookie is not necessary for the functioning of the website. Furthermore, the consent that is required is to the same standard as GDPR.
That means that consent for cookies must be freely given; specific; unambiguous; informed, and must include a clear affirmative action.
But that’s not all. Generally, if you are collecting and processing data that does not constitute personally identifiable information, then that collection is not in-scope of the GDPR and may require no legal basis to collect. However, whether or not your cookies are collecting PII is irrelevant under PECR. If they are doing more than enabling the website to function, they must have consent, and that consent must be to the same standard as GDPR.
How does this affect us?
Consent for cookies must be freely given; specific; unambiguous; informed; and must include a clear positive, affirmative action. Consent ascertained for Cookie use must be to the same standard as to what is required for GDPR.