The UK Information Commissioner’s Office (ICO) Guidance
Last Updated: April 27, 2020
Here are the main takeaways:
Implied consent is no longer acceptable
Your website’s consent banner must clearly state what cookies will be set and the user must take a positive action to consent to non-essential cookies. Consent is not required for cookies that are defined as ‘strictly necessary’ to providing service to the user.
‘Strictly Necessary’ exemptions have changed (i.e. Cookies used for Google Analytics and advertising purposes)
Companies are required to be clear with users about the purpose for storing information and requesting consent.
|Items that DO meet the ‘strictly necessary’ exemption||Items that DO NOT meet the ‘strictly necessary’ exemption|
|Cookies that are used to remember items that a user purchases or adds to a shopping cart Cookies used that must comply with GDPR’s security principle, such as a connection with an online banking service Cookies that help increase the page load time||Cookies used for website analytics Cookies used for first and third-party advertising Cookies used to recognize a user when returning to a website|
|What is considered valid consent?||The users must give specific, freely given and unambiguous consent to the cookies prior to the cookie being dropped. Both authorities highlight that a user continuing to browse a website does not amount to that user’s consent. Relying solely on browser settings is not enough to have valid consent. Both consider that in the future, browser settings are likely to be adapted to ensure valid consent can be collected through them.|
|What must be included in the cookie banner?||The consent must cover each purpose for which personal data will be processed. The user must be able to identify all parties placing cookies, meaning that organizations should name all parties who will rely on users’ consent.|
|Are cookie walls allowed?||The ICO notes that consent that is forced via a cookie wall is “unlikely to be valid,” which puts uncertainty on this topic.|
|Do analytic cookies require consent?||Yes, companies are required to be clear with users about the purpose for storing information and requesting consent. Cookies relating to the functionality of a website do not require consent, but cookies for analytics, social media and advertising now require consent to track data.|
|What are the important consent options for users?||It is not deemed compliant if an organization emphasizes “agree”/”allow” cookie options over the “reject”/”block” cookie options.|
|What is the cookie lifespan and retention periods?||The cookie lifespan must be limited to what is necessary to achieve the purpose. The maximum possible technical duration of a cookie would not be regarded as proportionate.|
How CookiePro Supports the ICO
CookiePro’s Cookie Consent and Website Scanning solution has been updated with recent ICO, CNIL and country-specific guidance built in. To help meet the ICO’s new guidance, CookiePro’s solution provides:
- Include Information Required in Banner. Include all required information on the cookie banner and in the preference center to ensure data subjects are fully informed.
- Choose Your Consent Approach. Choose from multiple models, including opt-out, opt-in, explicit, implied or notice only. Based on the cookie category, set up your model to meet compliance while maintaining optimal performance using analytics.
- Allow Users to Update Their Preferences at Any Time. Provide choices at all times with a granular preference center to easily manage cookie preferences.
- View Granular Records of Consent. With CookiePro, you’re able to view user’s consent and audit trails that are available on demand within the CookiePro platform.
- Show Compliance Over Time. A user’s consent is stored in a detailed audit log to help keep historical audit trails.