‘Click Here to Accept Updated Cookie Guidance’
What is a Cookie?
In the world of digital technology, a cookie is more than milk’s favorite companion. Indeed, the term “cookie” is often used to refer to a number of technologies placed on webpages that are used for various purposes, including web beacons, clear gifs and tracking pixels. Here, we will use the term “cookie” to generally refer to all of these technologies. Cookies may be first party or third party, persistent or session, and strictly necessary or non-essential. First party cookies are those set directly by the website the user is visiting, while third party cookies are set by a domain other than the one the user is visiting (e.g., a third party service provider). Cookies that expire at the end of a browser session are called session cookies, while those that can be stored for longer are called persistent cookies. Strictly necessary cookies are, for example, those that help ensure the content of a page loads quickly and effectively, while cookies used for analytics or advertising purposes are more for internal website operator purposes and are not deemed strictly necessary.
Both the UK and French regulators have taken steps to clarify their position on cookies, and both have come to a similar conclusion—implied consent is not ok for non-essential cookies.
- Analytics cookies are not strictly necessary. While analytics certainly provide organizations with useful information, they are not part of the functionality that a user requests when using a website, therefore consent is required.
- Cookie walls that restrict access to a website until users consent are not permitted. This approach is unlikely to represent valid consent, however, there are differing opinions and practical considerations around the use of partial cookie walls. The ICO will be seeking submissions on this point from interested parties. For now, any website operator considering a cookie wall should carefully document its thought process before implementing one.
- Organizations cannot rely on legitimate interests to set cookies. Consent is always required for non-essential cookies.
- The ICO does not want online services to stop using cookies. The ICO recognizes that cookies and similar technologies are important in ensuring the functionality and convenience of digital services, but would like cookies to be used in a compliant way.
Similarly, in France, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced its 2019-2020 action plan that includes replacing its 2013 recommendations on cookies and other tracking technologies. Like the ICO, the CNIL is clarifying that implied consent will not suffice in their view either. Because guidelines from the European Data Protection Board explicitly exclude scrolling down, swiping or browsing a website or application as valid consent, the CNIL’s 2013 recommendations, which allow obtaining consent through these means, is no longer in line with the applicable rules. The CNIL’s new guidance is expected soon. From publication, the CNIL will give stakeholders 12 months to comply with the new guidance. During this transition period, scrolling down, swiping or browsing will still be acceptable. It is important to note, however, that the CNIL will still investigate complaints to ensure that, among other things, no cookie is placed until the user has actively consented.
We recommend reviewing existing cookie notice and consent mechanisms to ensure they are in line with this new guidance. Some helpful first steps for website operators include the following:
- Ensure that non-essential cookies are not placed on the website landing page. Non-essential cookies may be placed after the user accepts cookies, but should not be placed before. Given this, it is helpful for some operators to not have such cookies on the landing page.
- Obtain affirmative opt-in to non-essential cookies. This means that a user should be required to tick a box, switch a toggle to “on” or take another affirmative step to demonstrate consent to non-essential cookies.
- Allow users to continue to use the website if they do not consent to non-essential cookies because use of a website must not be conditioned upon a user providing more information (including through cookies) than is needed to serve the website to such user.
- Provide users with an easily accessible means to control non-essential cookies.