The commercial impact of new UK guidance on the use of cookies could be significant, not least because the goalposts could move again in a matter of months.
On the one hand, clarification from the UK's Information Commissioner's Office (ICO) on its thinking on compliant use of cookies in the post-GDPR era is welcome. On the other, however, the new guidance forces businesses to revisit their consent mechanisms at great financial cost and at the risk of losing access to important data only to have to revise them again in the not-too-distant future – further guidance is anticipated from the French data protection regulator and there is the prospect of new EU legislation affecting cookies in the pipeline.
Businesses may be tempted to delay making changes in response to the ICO's guidance so as to wait for the further reforms on the horizon. However, this is a risk given the ICO's approach to cookies law enforcement.
Cookies are small text files that record internet users' online activity. EU rules set out in the Privacy and Electronic Communications (e-Privacy) Directive state that storing and accessing information on users' computers is, generally, only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing".
An exception to the consent requirements exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.
There is a strong commercial argument against rules requiring consent to analytics cookies, particularly where the data being collected is anonymised.
The concept of consent under the e-Privacy rules is derived from EU data protection law. The standards of consent were recently toughened with the introduction of the General Data Protection Regulation (GDPR).
Consent must, in general, be freely given, specific and informed. It must also be an unambiguous indication of the data subject's wishes that is stipulated by a statement or by a clear affirmative action. Explicit consent is required in instances where businesses intend to process sensitive personal data, including through the use of cookies.
The ICO's updated cookies guidance is a reflection of the regulator's desire to help businesses conform to the new GDPR-era standards when using cookies.
Some practices which were permitted before, including being able to rely on 'implied consent' to the use of cookies, are no longer considered compliant.
The ICO also makes clear that cookie consent mechanisms must be kept separate from other website terms and conditions that businesses deploy.
The guidance is also more specific about the transparency obligations facing businesses using cookies. It confirms that businesses should present "clear information" about the use of cookies to users "when they first visit your service", and provide more detailed information "in a privacy or cookie policy accessed through a link within the consent mechanism and at the top or bottom of your website".
The ICO's own new cookie pop-up for its website offers further insight into the regulator's idea of best practice on this point. The pop-up explains that some cookies the ICO deploys are necessary and some are optional. According to the ICO's approach, consent to cookies can be addressed by way of categories. It does not appear to be necessary to get consent for every cookie on an individual basis – providing there is enough detail in the cookie policy to back up such an approach. A link to the ICO's full cookie policy is provided within the pop up that offers more detail, but it is clear from that tool that visitors need to actively opt-in to permit analytics cookies being deployed on their devices.
The ICO's approach to analytics cookies is confirmed in its guidance.
"You are likely to view analytics as ‘strictly necessary’ because of the information they provide about how visitors engage with your service," the ICO said. "However, you cannot use the strictly necessary exemption for these. Consent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user can access your online service whether analytics cookies are enabled or not."
"Ultimately, you have to provide clear information to users about analytics cookies and to take steps to seek their consent," the ICO said. "This is likely to involve making the argument to show users why these cookies are useful to them – but you must ensure if you do this you aren’t leading the user to one option over another."
The ICO's position that analytics cookies do not fall within the 'strictly necessary' exemption is not new. It explained as much in 2012. However, at that time it also confirmed that it would be "highly unlikely" to pursue enforcement action against businesses using their own analytics cookies without consent where they were low on their "intrusiveness and risk of harm to individuals" and where the businesses had "provided clear information" about their use.
The ICO's revised guidance confirms that businesses that fail to obtain consent in respect of first-party analytics cookies remain unlikely to face enforcement action today, but it highlighted that it is likely to take a stiffer approach in relation to first-party analytics cookies provided by a third party.
The ICO was clear in a blog published alongside its new cookies guidance, though, that cookie compliance will be an increasing regulatory priority for it, although "future action would be proportionate and risk-based". "Web and cross device tracking for marketing (including for political purposes)" is third on the ICO's list of regulatory priorities for 2018/19.
Website operators are advised to "start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear".
There is a strong commercial argument against rules requiring consent to analytics cookies, particularly where the data being collected is anonymised.
Data gathered from analytics cookies helps businesses understand which of their online products, services and other content has gained traction, helping to shape future development of those services and improve the customer's online journey. Requiring visitors to actively enable analytics cookies risks missing out on a substantial majority of data, and could result in businesses having to run their websites blind. Ultimately, this is to the disadvantage of consumers.
To address this, some businesses have required internet users to consent to the use of cookies to gain access to their web services. These so-called 'cookie walls' are controversial and have attracted substantial scrutiny.
Last year the European Data Protection Board (EDPB) said the use of so-called "cookie walls" runs contrary to the GDPR, and said they should not be provided for in the proposed new EU e-Privacy Regulation.
At the time, it said: "In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited".
Echoing that view, the Dutch data protection authority wrote to some website operators in the country after it received "dozens" of complaints about the use of cookie walls. It said it did not believe cookie walls conform to the GDPR standards of consent, stating that "permission is not 'free' if someone has no real or free choice… or if the person cannot refuse giving permission without adverse consequences".
The ICO's view on cookie walls is more nuanced. In its guidance it suggested businesses may be able to justify their use in certain circumstances.
"If your use of a cookie wall is intended to require, or influence, users to agree to their personal data being used by you or any third parties as a condition of accessing your service, then it is unlikely that user consent is considered valid," the ICO said. "However, it should be noted that not all cookie tracking is necessarily intrusive or high risk."
"Furthermore, the GDPR is clear that the right to the protection of personal data: is not absolute; should be considered in relation to its function in society; and must be balanced against other fundamental rights, including freedom of expression and the freedom to conduct a business. The key is that individuals are provided with a genuine free choice; consent should not be bundled up as a condition of the service unless it is necessary for that service," it said.
In its blog, the ICO added that the use of cookie consent statements such as 'by continuing to use this website you are agreeing to cookies' would be invalid under the GDPR. It said, though, that it is aware of "differing opinions as well as practical considerations around the use of partial cookie walls" and "will be seeking further submissions and opinions on this point from interested parties".
A further controversial topic that the ICO's updated guidance addresses is whether web browser settings can confer an internet user's consent to cookies.
The ICO said businesses cannot, currently, solely rely on browser settings for demonstrating user consent. It did, though, explain how browser settings can indicate consent in certain circumstances.
"For consent to be clearly signified it would need to be clear that users and subscribers had been prompted to consider their current browser settings," it said. "This would require evidence of either a positive action that the subscriber was happy with the default, or otherwise made a decision to change the settings."
"Browsers may also include other features such as tracking protection options. Depending on the browser, these may be either enabled by default or require the user to configure them. There is also a range of browser extensions and add-ons for various web browsers that users can install to further manage their cookie preferences. However, you should be aware that not everyone accessing websites will do so with the same version or type of browser, or even use a traditional web browser at all. This is particularly important when considering web browsers and apps on other devices such as smartphones, tablets, smart TVs, wearable technology or other 'Internet of Things' devices," it said.
All of this means businesses are likely to have to make technical changes to their existing cookie consent mechanisms to comply with the ICO's guidance.
Yet, for businesses operating cross-border in Europe, further changes are imminent.
CNIL, France's data protection authority, is to publish its own new cookies guidance before the end of this month. It has said that it will give businesses 12 months to "comply with the principles that diverge from the previous recommendation".
Further CNIL guidance on the practicalities of obtaining consent is expected to be issued by the regulator next year. It said it will first consult with industry with the aim of describing "the practical arrangements for collecting consent".
Both the ICO and CNIL are in an invidious position. They are responsible for ensuring compliance with privacy rules and must necessarily update their guidance to reflect the changed legal standards since the GDPR took effect. However, their guidance could have a short lifespan, since EU law makers are in the process of updating the e-Privacy regime.
Plans to replace the existing e-Privacy Directive with a new e-Privacy Regulation were first outlined in 2017, but, while MEPs agreed the European Parliament's negotiating position on the reforms in October 2017, the reforms have been delayed due to disagreements within the Council of Ministers between EU member state governments over the new standards that should apply.
In March this year, the then Romanian presidency of the Council of Ministers suggested that the new e-Privacy Regulation should provide businesses with scope to use cookie walls.
It said: "Making access to the website content provided without direct monetary payment conditional to the consent of the end-user to the storage and reading of cookies for additional purposes would normally not be considered disproportionate in particular … if the end-user is able to choose between an offer that includes consenting to the use of cookies for additional purposes on the one hand, and an equivalent offer by the same provider that does not involve consenting to data use for additional purposes on the other hand."
"Conversely, in some cases, making access to website content conditional to consent to the use of such cookies may be considered to be disproportionate. This would normally be the case for websites providing certain services, such as those provided by public authorities, where the user could be seen as having few or no other options but to use the service, and thus having no real choice as to the usage of cookies," it said.
However, the Romanian government was unable to obtain consensus for its plans before the European elections in May and the conclusion of its term as presidency of the Council at the end of June. Finland has now taken over the presidency and will be responsible for driving forward work on the reforms. Finland has already said that "developing a balanced framework for utilising [data] is critical" to broader ambitions of sustainable growth in the EU.
It is possible that a stripped back version of the e-Privacy Regulation as originally proposed will emerge. The general secretariat of the Council of Ministers asked governments of EU member states in late June to set out the parts of the regulation that they consider to be "the most essential". Certainly, agreement on the text within the Council does not seem to be imminent, and even if common ground can be found there would remain a final hurdle of reaching consensus with the European Parliament, which wants a ban on cookie walls.
For businesses all this means that the overall picture on cookie compliance is a confusing one.
From the ICO's guidance it seems fairly clear that, for now, consent at a website level is required and the onus remains with the service provider to obtain and demonstrate a valid consent.
The technical cost of the ICO’s guidance could be significant for businesses, which face a number of issues and will need to:
One of the areas the guidance is silent on is how the new guidelines apply to legacy data collected and continuing to be processed or which has been shared and may form part of user profiles for service delivery, marketing or more.
When the GDPR came into force the ICO said previous data could be used as long as it met with the new standard for consent and compliance obligations under the GDPR. This led to a storm of re-consenting activity. It will be interesting to see how the consent mechanism is now applied in relation to data already held and if re-consenting would be required to ensure use of legacy data gathered from cookies is valid and the processing complies with the legal conditions applicable.
Claire Edwards and Rachel Forbes are information law experts at Pinsent Masons, the law firm behind Out-Law.