November 9, 2021

What are the ICO Cookie Guidelines?

Are you aware of what the ICO Cookie Guidelines are, and who it applies to? Read all about the guidelines in relation to the UK GDPR law, penalties, and what to do if you want to use your collected data for another purpose.

What Is ICO?

ICO stands for the Information Commissioner’s Office of the United Kingdom. This is the UK’s public authority that enforces data protection laws in the country. Among other things, it publishes guidelines that help businesses comply with privacy laws (UK Data Privacy Act 2018, GDPR) easily.

Here we will explain in plain language the most important aspects of their cookie guidelines. Should you respect these guidelines, data protection compliance will be effortless for you.

Read more about UK GDPR, and how to become UK GDPR-compliant right here. 

What Is PECR?

PECR stands for Privacy and Electronic Communications Regulations of the UK. Among others, it covers the use of cookies and similar technologies for storing and accessing users’ information.

What Are Cookies and what type of cookies are there?

Cookies are small text files that are being injected in your device in order to collect some data. Read more about what cookies are here.

What Are “Similar Technologies”?

Cookies are not the only technology used for tracking users over the internet. The so-called “similar technologies” are tracking technologies that provide website owners with information about users, sometimes including their personal data. As a result, these technologies are also the subject of data protection rules.

Some examples of similar technologies are:

  • HTTP header information
  • Installed plugins
  • Device fingerprints
  • CSS information, etc.

What Are The Legal Requirements For Cookies And Similar Technologies?

You can freely use essential cookies, but you must obtain explicit user’s consent for the use of non-essential cookies and similar technologies.

In addition, you must obtain the consent the right way, which means:

  • Ask for consent for each specific purpose. If you use different cookies for different purposes (preferences, analytics, advertising), then ask for consent for each specific purpose. Getting one consent for analytics cookies doesn’t mean that you are free to use the advertising cookies.
  • Inform users about cookies. Tell them what cookies you use for what purpose. Do that in plain language that doesn’t mislead them.
  • You need affirmative action. The user has to click on “ACCEPT” or a similar button to accept the cookies. Staying on the website doesn’t mean consent. Also, pre-ticked boxes are not allowed - the user should tick them.
  • The consent must be freely given. You must not prevent the user from accessing the website if they do not consent on cookie use.

How Do PECR And GDPR Relate?

Although none of them explicitly mentions cookies, both PECR and GDPR are very similar regarding the requirements about personal data collection.

PECR regulates the privacy of electronic communications in the UK and of UK citizens. When it applies, it takes precedence over the UK Data Protection Act 2018 and the EU's GDPR.

However, these laws complement each other.

In general, the PECR applies to the collection of personal data (accessing and storing). Every other thing that you do with the data collected according to the PECR is under the scrutiny of the GDPR.

What Is The “Communication Exemption”?

The communication exemption means that you can use cookies without consent to enable the communication over an electronic communications network.

The cookies must be necessary to:

  • Identify the users that need to communicate
  • Transfer messages in the intended order, or 
  • Identify data transmission errors and data losses.

How Do PECR And GDPR Differ In Cookie Requirements?

In general, if PECR applies to your business, you must check out PECR requirements before looking into GDPR requirements. These differences are minor, but important.

GDPR lists six lawful basis for data collection, only one of which is consent. No one is more important than others.

PECR, on the other hand, has the consent as the only lawful basis in most cases. Only if the consent is not required, you can rely on the basis listed in the GDPR.

So, you need to obtain explicit consent unless clearly exempt with the PECR (Regulation 6).

How To Inform Users About Cookies?

You have to tell users about cookies at the moment of arriving on the website.

A good practice is to show them a cookie banner where they can choose their privacy preferences and read your privacy policy and cookie declaration.

You can include information on cookies in your privacy policy, but may also have a separate cookie declaration/policy for better visibility and simplicity.

ICO recommends increasing the visibility of your cookie policy/declaration or your privacy policy by:

  • Text formatting that draws attention
  • Positioning the link in a place where could be easily found or seen
  • Use explanatory wording that tells the user that the link provides information on cookies (such as: “Check out our cookie declaration to find out more about how and why we use cookies”).

What Does “Affirmative Action” Mean?

Affirmative action means that the user has to accept the cookies by their own actions. That means two things:

  • The user has to click on the “ACCEPT” button or something similar and explicitly show that they consent to the cookies
  • The user should tick the checkboxes for each purpose of collection/processing. Pre-ticked boxes are not allowed.

Can We Pre-Tick Cookie Consent Checkboxes?

No. As we mentioned above, pre-ticked checkboxes are not compliant with the Data Privacy Act and the GDPR.

Can We Use Cookie Walls?

No, cookie walls are not allowed in obtaining users’ consent. If the user is not allowed to access the website without giving consent to the use of cookies, then such consent is not freely given, therefore the consent is not obtained legally.

Can We Obtain Consent Through Accepting The Terms Of Use?

No, that’s not a lawful way to obtain consent. Accepting Terms of Use doesn’t mean cookie consent, even if they are mentioned in the Terms of Use and the user accepts them. It is just an implied consent, but you need an explicit one.

The consent for cookies must be obtained separately from any other consent.

Does Remaining On The Website Mean Consent To The Use Of Cookies?

No, remaining or browsing the website doesn’t mean accepting cookies and other tracking technologies. If you fire up cookies to the user’s device just because they browse your website, you are violating the data protection laws.

Can We Rely On Settings-Led, Feature-Led, Or Browser Settings In Obtaining Consent?

Settings-led and feature-led consent. You can rely on these cookies as long as it is explained to the user. If they know that the use of cookies is necessary to remember the settings they have opted for, then it is fine to rely on them.

Browser settings. You should not assume that every user knows how to set up the browser settings, but you can rely on them as obtaining consent as long as they could indicate that the user consents to the use of cookies. For example, if a user sets up the browser to accept certain types of cookies, it means given consent for your cookies as well.

What If We Want To Use Their Data For Another Purpose?

Remember that you need to obtain consent for data collection for a specific purpose. If you need to use the very same data for another purpose, you need to obtain consent for the new purpose.

For example, if you have obtained consent to use analytics cookies, you can collect and process data only for analytics purposes. You must not use that data for marketing. If you want to do so, you just need to collect consent from the user.

How Often Should We Obtain Consent?

In general, you don’t need to obtain consent for the same purpose and the same data over and over again.

However, if you introduce a new cookie that you haven’t obtained for previously, make sure that you ask for consent for that one.

What If Users Change Their Mind About Consent?

You must allow users to withdraw consent with the same ease as they gave it to you. It means that you must not hide the consent withdrawal button from them. Ensure to have it available in your privacy center.

If they didn’t give you consent initially, but now they want to accept your cookies, you can obtain it by respecting the rules described above - inform them about cookies and collect freely given consent for each purpose separately by their own affirmative action.

What Happens If We Don’t Comply?

If you collect and/or process personal data without obtaining consent in a lawful way, you violate the data protection laws. If that happens, you are under the risk of getting fined by the ICO. 

Secure Privacy dashboard

Want to try
Secure Privacy?

Get your free cookie banner up and running today!