The concept of consent under the e-Privacy rules is derived from EU data protection law. The standards of consent were recently toughened with the introduction of the General Data Protection Regulation (GDPR).
The ICO's updated cookies guidance is a reflection of the regulator's desire to help businesses conform to the new GDPR-era standards when using cookies.
The ICO also makes clear that cookie consent mechanisms must be kept separate from other website terms and conditions that businesses deploy.
Analytics cookies and enforcement
The ICO's approach to analytics cookies is confirmed in its guidance.
"You are likely to view analytics as ‘strictly necessary’ because of the information they provide about how visitors engage with your service," the ICO said. "However, you cannot use the strictly necessary exemption for these. Consent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user can access your online service whether analytics cookies are enabled or not."
"Ultimately, you have to provide clear information to users about analytics cookies and to take steps to seek their consent," the ICO said. "This is likely to involve making the argument to show users why these cookies are useful to them – but you must ensure if you do this you aren’t leading the user to one option over another."
The ICO's position that analytics cookies do not fall within the 'strictly necessary' exemption is not new. It explained as much in 2012. However, at that time it also confirmed that it would be "highly unlikely" to pursue enforcement action against businesses using their own analytics cookies without consent where they were low on their "intrusiveness and risk of harm to individuals" and where the businesses had "provided clear information" about their use.
The ICO's revised guidance confirms that businesses that fail to obtain consent in respect of first-party analytics cookies remain unlikely to face enforcement action today, but it highlighted that it is likely to take a stiffer approach in relation to first-party analytics cookies provided by a third party.
The ICO was clear in a blog published alongside its new cookies guidance, though, that cookie compliance will be an increasing regulatory priority for it, although "future action would be proportionate and risk-based". "Web and cross device tracking for marketing (including for political purposes)" is third on the ICO's list of regulatory priorities for 2018/19.
Website operators are advised to "start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear".
Commercial impact and cookie walls
There is a strong commercial argument against rules requiring consent to analytics cookies, particularly where the data being collected is anonymised.
Data gathered from analytics cookies helps businesses understand which of their online products, services and other content has gained traction, helping to shape future development of those services and improve the customer's online journey. Requiring visitors to actively enable analytics cookies risks missing out on a substantial majority of data, and could result in businesses having to run their websites blind. Ultimately, this is to the disadvantage of consumers.
Last year the European Data Protection Board (EDPB) said the use of so-called "cookie walls" runs contrary to the GDPR, and said they should not be provided for in the proposed new EU e-Privacy Regulation.
At the time, it said: "In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited".
Echoing that view, the Dutch data protection authority wrote to some website operators in the country after it received "dozens" of complaints about the use of cookie walls. It said it did not believe cookie walls conform to the GDPR standards of consent, stating that "permission is not 'free' if someone has no real or free choice… or if the person cannot refuse giving permission without adverse consequences".
The ICO's view on cookie walls is more nuanced. In its guidance it suggested businesses may be able to justify their use in certain circumstances.
"If your use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by you or any third parties as a condition of accessing your service, then it is unlikely that user consent is considered valid," the ICO said. "However, it should be noted that not all cookie tracking is necessarily intrusive or high risk."
"Furthermore, the GDPR is clear that the right to the protection of personal data: is not absolute; should be considered in relation to its function in society; and must be balanced against other fundamental rights, including freedom of expression and the freedom to conduct a business. The key is that individuals are provided with a genuine free choice; consent should not be bundled up as a condition of the service unless it is necessary for that service," it said.
In its blog, the ICO added that the use of cookie consent statements such as 'by continuing to use this website you are agreeing to cookies' would be invalid under the GDPR. It said, though, that it is aware of "differing opinions as well as practical considerations around the use of partial cookie walls" and "will be seeking further submissions and opinions on this point from interested parties".
Consent via browser settings
A further controversial topic that the ICO's updated guidance addresses is whether web browser settings can confer an internet user's consent to cookies.
The ICO said businesses cannot, currently, solely rely on browser settings for demonstrating user consent. It did, though, explain how browser settings can indicate consent in certain circumstances.
"For consent to be clearly signified it would need to be clear that users and subscribers had been prompted to consider their current browser settings," it said. "This would require evidence of either a positive action that the subscriber was happy with the default, or otherwise made a decision to change the settings."
"Browsers may also include other features such as tracking protection options. Depending on the browser, these may be either enabled by default or require the user to configure them. There is also a range of browser extensions and add-ons for various web browsers that users can install to further manage their cookie preferences. However, you should be aware that not everyone accessing websites will do so with the same version or type of browser, or even use a traditional web browser at all. This is particularly important when considering web browsers and apps on other devices such as smartphones, tablets, smart TVs, wearable technology or other 'Internet of Things' devices," it said.
The business impact and a look at future reforms
All of this means businesses are likely to have to make technical changes to their existing cookie consent mechanisms to comply with the ICO's guidance.
Yet, for businesses operating cross-border in Europe, further changes are imminent.
CNIL, France's data protection authority, is to publish its own new cookies guidance before the end of this month. It has said that it will give businesses 12 months to "comply with the principles that diverge from the previous recommendation".
Further CNIL guidance on the practicalities of obtaining consent is expected to be issued by the regulator next year. It said it will first consult with industry with the aim of describing "the practical arrangements for collecting consent".
Both the ICO and CNIL are in an invidious position. They are responsible for ensuring compliance with privacy rules and must necessarily update their guidance to reflect the changed legal standards since the GDPR took effect. However, their guidance could have a short lifespan, since EU law makers are in the process of updating the e-Privacy regime.
Plans to replace the existing e-Privacy Directive with a new e-Privacy Regulation were first outlined in 2017, but, while MEPs agreed the European Parliament's negotiating position on the reforms in October 2017, the reforms have been delayed due to disagreements within the Council of Ministers between EU member state governments over the new standards that should apply.
In March this year, the then Romanian presidency of the Council of Ministers suggested that the new e-Privacy Regulation should provide businesses with scope to use cookie walls.
"Conversely, in some cases, making access to website content conditional to consent to the use of such cookies may be considered to be disproportionate. This would normally be the case for websites providing certain services, such as those provided by public authorities, where the user could be seen as having few or no other options but to use the service, and thus having no real choice as to the usage of cookies," it said.
However, the Romanian government was unable to obtain consensus for its plans before the European elections in May and the conclusion of its term as presidency of the Council at the end of June. Finland has now taken over the presidency and will be responsible for driving forward work on the reforms. Finland has already said that "developing a balanced framework for utilising [data] is critical" to broader ambitions of sustainable growth in the EU.
It is possible that a stripped back version of the e-Privacy Regulation as originally proposed will emerge. The general secretariat of the Council of Ministers asked governments of EU member states in late June to set out the parts of the regulation that they consider to be "the most essential". Certainly, agreement on the text within the Council does not seem to be imminent, and even if common ground can be found there would remain a final hurdle of reaching consensus with the European Parliament, which wants a ban on cookie walls.
For businesses all this means that the overall picture on cookie compliance is a confusing one.
From the ICO's guidance it seems fairly clear that, for now, consent at a website level is required and the onus remains with the service provider to obtain and demonstrate a valid consent.
The technical cost of the ICO’s guidance could be significant for businesses, which face a number of issues and will need to:
- conduct a complete cookie audit and understand what cookies or similar devices apply to the webpages and applications controlled by them;
- understand what legacy data is held and how this can continue to be used and shared in light of the new requirements;
- develop technical solutions to allow for the introduction of dynamic cookie consent mechanisms and the prevention of non-essential cookiesbeing set before consent has been given;
- change existing processes – it is clear that the general 'market standard' practice of implied consent is no longer permissible;
- engage with third party cookie providerswhich often seek to put the onus on the original service provider to obtain GDPR-level consent for third party cookies, to ensure that this is now only done with clear consent ;
- minimise the impact on the customer journey, where in many cases the consent banner takes over such a high portion of the screen, and;
- potentially reverse all the work carried out to comply with the ICO's guidance, if the e-Privacy Regulation is adopted in its current form.
One of the areas the guidance is silent on is how the new guidelines apply to legacy data collected and continuing to be processed or which has been shared and may form part of user profiles for service delivery, marketing or more.
When the GDPR came into force the ICO said previous data could be used as long as it met with the new standard for consent and compliance obligations under the GDPR. This led to a storm of re-consenting activity. It will be interesting to see how the consent mechanism is now applied in relation to data already held and if re-consenting would be required to ensure use of legacy data gathered from cookies is valid and the processing complies with the legal conditions applicable.
Claire Edwards and Rachel Forbes are information law experts at Pinsent Masons, the law firm behind Out-Law.