What are the ICO Cookie Guidelines?

Are you aware of the ICO Cookie Guidelines and who they apply to? Read all about the UK GDPR law, penalties, and what to do if you want to use the data you've collected for another purpose.

What Is ICO?

ICO stands for the Information Commissioner’s Office of the United Kingdom. This is the UK’s public authority in charge of enforcing the country's data protection laws. Among other things, it publishes guidelines that help businesses in easily complying with privacy laws (UK Data Privacy Act 2018, UK GDPR).

In this article, we will explain in layman's terms the most important aspects of their cookie policies. If you follow these guidelines, data protection compliance will be a breeze for you.

Read more about UK GDPR and how to become UK GDPR-compliant right here. 

What are ICO cookie guidelines?

The ICO cookie guidelines were issued to address cookies and similar technologies in detail. The guidelines are critical for online services such as websites and mobile apps. The ICO cookie guidelines help businesses understand how the PECR is interpreted and applied.

What Is PECR?

PECR stands for Privacy and Electronic Communications Regulations of the UK. It addresses, among other things, the use of cookies and similar technologies for storing and accessing users’ information.

What Are Cookies, and what type of cookies are there?

Cookies are small text files that are injected into your device to collect data. Read more about what cookies are here.

What Are “Similar Technologies”?

Cookies are not the only technology used to track internet users. Tracking technologies that provide website owners with information about users, including personal data, are referred to as "similar technologies." As a result, these technologies are also the subject of data protection rules.

Some examples of similar technologies are:

• HTTP header information
• Installed plugins
• Device fingerprints
• CSS information, etc.
  

What Are The Legal Requirements For Cookies And Similar Technologies?

You may use essential cookies without restriction, but you must obtain explicit user consent to use non-essential cookies and similar technologies.

In addition, you must obtain the consent the right way, which means:

• Ask for consent for each specific purpose. If you use different cookies for different purposes (preferences, analytics, advertising), make sure to get consent for each one. Obtaining one consent for analytics cookies does not grant you permission to use advertising cookies.
• Inform users about cookies. Tell them what cookies you use and why. Do so in plain language so that they are not misled.
• You need affirmative action. To accept cookies, the user must click "ACCEPT" or a similar button. Staying on the website does not imply agreement. Also, pre-ticked boxes are not permitted; the user must tick them.
• The consent must be freely given. If a user does not consent to the use of cookies, you must not prevent them from accessing the website.
  

How Do PECR And GDPR Relate?

Although neither explicitly mentions cookies, the requirements for personal data collection in both the PECR and GDPR are very similar.

PECR governs the privacy of electronic communications in the United Kingdom and of its citizens. When it applies, it takes precedence over the UK Data Protection Act 2018 and the EU's GDPR.

However, these laws complement each other.

In general, the PECR applies to the collection of personal data (accessing and storing). Everything else you do with the data collected under the PECR is subject to the GDPR's scrutiny.

What Is The “Communication Exemption”?

The communication exemption means that you can use cookies to enable communication over an electronic communications network without obtaining consent.

Cookies must be required to:

• Identify the users that need to communicate
• Transfer messages in the intended order, or 
• Identify data transmission errors and data losses.
  

How Do PECR And GDPR Differ In Cookie Requirements?

In general, if PECR applies to your business, you must check out PECR requirements before looking into GDPR requirements. These distinctions are minor but significant.

GDPR lists six lawful bases for data collection, only one of which is consent. No one is more important than others.

In most cases, the only legal basis under the PECR is consent. Only if consent is not required can you rely on the GDPR's listed basis.

As a result, unless clearly exempt under the PECR, you must obtain explicit consent (Regulation 6).

How To Inform Users About Cookies?

When users first visit your website, you must inform them about cookies.

A good practice is to show them a cookie banner where they can choose their privacy preferences and read your privacy policy and cookie declaration.

You can include cookie information in your privacy policy but may also have a separate cookie declaration/policy for better visibility and simplicity.

The ICO recommends making your cookie policy/declaration or privacy policy more visible by:

• Attention-grabbing text formatting
• Positioning the link in a prominent location where it can be easily found or seen
• Use explanatory wording that tells the user that the link provides information on cookies (such as: “Check out our cookie declaration to find out more about how and why we use cookies”).
  

What Does “Affirmative Action” Mean?

Affirmative action requires the user to accept cookies through their own actions. That means two things:

• The user must explicitly show their consent to the cookies by clicking on the "ACCEPT" button or something similar.
• The user should tick the checkboxes for each purpose of collection/processing. Pre-ticked boxes are not allowed.
  

Can We Pre-Tick Cookie Consent Checkboxes?

No. As we mentioned above, pre-ticked checkboxes are not compliant with the Data Privacy Act and the GDPR.

Can We Use Cookie Walls?

In general, cookie walls are not permitted in obtaining users' consent. If the user is not allowed to access the website unless they give consent to the use of cookies, such consent is not freely given, and thus the consent is not legally obtained.

However, ICO states that the use of cookie walls as a condition of access to specific website content is possible. Specific website content means that you should not make “general website access” conditional on users accepting non-essential cookies, but you can only limit certain content of the website if the user does not consent.

Can We Obtain Consent Through Accepting The Terms Of Use?

No, that’s not a legal method of obtaining consent. Accepting the Terms of Use does not imply cookie consent, even if they are mentioned in the Terms of Use, and the user accepts them. It is only implied consent, but you require explicit consent.

Cookie consent must be obtained separately from any other consent.

Does Remaining On The Website Mean Consent To The Use Of Cookies?

No, remaining or browsing the website does not imply accepting cookies and other tracking technologies. If you send cookies to the user’s device just because they browse your website, you are violating the data protection laws.

Can We Rely On Settings-Led, Feature-Led, Or Browser Settings In Obtaining Consent?

Settings-led and feature-led consent. You can rely on these cookies as long as the user is informed. If they understand that cookies are required to remember the settings they have chosen, they can rely on them.

Browser settings. You should not assume that every user knows how to configure their browser settings, but you can use them to obtain consent as long as they could indicate that the user consents to the use of cookies. For example, if a user sets up the browser to accept certain types of cookies, it means giving consent for your cookies as well.

What If We Want To Use Their Data For Another Purpose?

Remember that consent is required for data collection for a specific purpose. If you need to use the same data for another purpose, you need to obtain consent for the new purpose.

For example, if you have obtained consent to use analytics cookies, you can collect and process data only for analytics purposes. You must not use that data for marketing. If you want to do so, you just need to collect consent from the user.

How Often Should We Obtain Consent?

In general, you don’t need to obtain consent for the same purpose and the same data repeatedly.

However, if you introduce a new cookie for which you haven't previously obtained consent, make sure you ask for it.

What If Users Change Their Mind About Consent?

Users must be able to withdraw consent as easily as they gave it to you. That is, you must not conceal the consent withdrawal button from them. Make it a point to keep it in your privacy center.

If they did not initially give you consent but now want to accept your cookies, you can get it by following the rules outlined above - inform them about cookies and collect freely given consent for each purpose separately through their own affirmative action.

What Happens If We Don’t Comply?

You violate data protection laws if you collect and/or process personal data without lawfully obtaining consent. If this occurs, you run the risk of being fined by the ICO.

ICO Cookie Banner Examples

ICO has provided examples of non-compliant cookie banner examples. As a result, using the practices in cookie banners will result in non-compliance with the ICO cookie guidelines.

This website places non-essential cookies on its landing page. This is not considered valid consent. This is because the website has decided non-essential cookies will be set, and is then seeking the user’s agreement afterwards – but is only providing the user with an option to ‘continue’ rather than a genuine free choice about whether they want to accept or reject the cookies.

(Source: www.ico.org.uk)

A consent mechanism that emphasizes ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ is a non-compliant approach, as the online service influences users to choose the 'accept' option.

Even if the controls are located in a 'more information' section, a consent mechanism that does not allow the user to make a choice is non-compliant.

A cookie banner that is compliant would look like this:

This enables users to reject and accept cookies and the buttons are of equal prominence and are not intended to mislead users. Further, the banner also includes a link to the cookie policy and also includes an option to learn more about each cookie category and customize cookie choices.

Checklist for compliance with ICO Guidelines

Below is the checklist in order to ensure you remain compliant with the ICO cookie guidelines.

▢  Have a cookie consent banner to collect users’ consent to use cookies  

▢  Do not place cookies before obtaining consent, except for essential cookies

▢  Have a preference setting to allow users to choose what they consent to

▢  Try not to use cookie walls (use only if a cookie wall is required for accessing specific website content or services, not for general website access)

▢  Provide explicit information about the use of cookies and communicate the purposes through, ideally, a separate cookie policy/declaration for better visibility and simplicity

▢  If your cookie policy/declaration is part of your privacy policy, try to make it more visible by eye-catching text formatting.

▢  Do not use pre-ticked boxes

▢  Don’t use cookies for secondary purposes that you have not obtained consent for

▢  Don’t obtain consent through accepting the Terms of Use of the website 

▢  Allow an option to reject the cookies, don’t load any cookies if the user reflects

▢  Obtain consent for each category of processing

▢  Provide “accept” and “reject” options in a similar manner and with equal prominence.

Relevant Links

ICO Official Website

ICO Cookie Guidelines

Check out the other Cookie Consent Guidelines from other European Data Protection Authorities that you may need to comply with as well; 

• Belgian Data Protection Authority (DPA) Cookie Consent Guidance 
• Irish Data Protection Commission (DPC) Cookie Consent Guidance 
• French CNIL Consent Guidelines 
• Spanish AEPD Cookie Guidelines
• German DSK Cookie Guidelines
• Swedish Datainspektionenen Consent Guidelines 
• Danish DPA Cookie Guidelines