Are you aware of the ICO Cookie Guidelines and who they apply to? Read all about the UK GDPR law, penalties, and what to do if you want to use the data you've collected for another purpose.
Explore more privacy compliance insights and best practices
Are you aware of the ICO Cookie Guidelines and who they apply to? Read all about the UK GDPR law, penalties, and what to do if you want to use the data you've collected for another purpose.
ICO stands for the Information Commissioner’s Office of the United Kingdom. This is the UK’s public authority in charge of enforcing the country's data protection laws. Among other things, it publishes guidelines that help businesses in easily complying with privacy laws (UK Data Privacy Act 2018, UK GDPR).
In this article, we will explain in layman's terms the most important aspects of their cookie policies. If you follow these guidelines, data protection compliance will be a breeze for you.
Read more about UK GDPR and how to become UK GDPR-compliant right here.
The ICO cookie guidelines were issued to address cookies and similar technologies in detail. The guidelines are critical for online services such as websites and mobile apps. The ICO cookie guidelines help businesses understand how the PECR is interpreted and applied.
PECR stands for Privacy and Electronic Communications Regulations of the UK. It addresses, among other things, the use of cookies and similar technologies for storing and accessing users’ information.
Cookies are small text files that are injected into your device to collect data. Read more about what cookies are here.
Cookies are not the only technology used to track internet users. Tracking technologies that provide website owners with information about users, including personal data, are referred to as "similar technologies." As a result, these technologies are also the subject of data protection rules.
Some examples of similar technologies are:
You may use essential cookies without restriction, but you must obtain explicit user consent to use non-essential cookies and similar technologies.
In addition, you must obtain the consent the right way, which means:
Although neither explicitly mentions cookies, the requirements for personal data collection in both the PECR and GDPR are very similar.
PECR governs the privacy of electronic communications in the United Kingdom and of its citizens. When it applies, it takes precedence over the UK Data Protection Act 2018 and the EU's GDPR.
However, these laws complement each other.
In general, the PECR applies to the collection of personal data (accessing and storing). Everything else you do with the data collected under the PECR is subject to the GDPR's scrutiny.
The communication exemption means that you can use cookies to enable communication over an electronic communications network without obtaining consent.
Cookies must be required to:
In general, if PECR applies to your business, you must check out PECR requirements before looking into GDPR requirements. These distinctions are minor but significant.
GDPR lists six lawful bases for data collection, only one of which is consent. No one is more important than others.
In most cases, the only legal basis under the PECR is consent. Only if consent is not required can you rely on the GDPR's listed basis.
As a result, unless clearly exempt under the PECR, you must obtain explicit consent (Regulation 6).
When users first visit your website, you must inform them about cookies.
A good practice is to show them a cookie banner where they can choose their privacy preferences and read your privacy policy and cookie declaration.
You can include cookie information in your privacy policy but may also have a separate cookie declaration/policy for better visibility and simplicity.
The ICO recommends making your cookie policy/declaration or privacy policy more visible by:
Affirmative action requires the user to accept cookies through their own actions. That means two things:
No. As we mentioned above, pre-ticked checkboxes are not compliant with the Data Privacy Act and the GDPR.
In general, cookie walls are not permitted in obtaining users' consent. If the user is not allowed to access the website unless they give consent to the use of cookies, such consent is not freely given, and thus the consent is not legally obtained.
However, ICO states that the use of cookie walls as a condition of access to specific website content is possible. Specific website content means that you should not make “general website access” conditional on users accepting non-essential cookies, but you can only limit certain content of the website if the user does not consent.
No, that’s not a legal method of obtaining consent. Accepting the Terms of Use does not imply cookie consent, even if they are mentioned in the Terms of Use, and the user accepts them. It is only implied consent, but you require explicit consent.
Cookie consent must be obtained separately from any other consent.
No, remaining or browsing the website does not imply accepting cookies and other tracking technologies. If you send cookies to the user’s device just because they browse your website, you are violating the data protection laws.
Settings-led and feature-led consent. You can rely on these cookies as long as the user is informed. If they understand that cookies are required to remember the settings they have chosen, they can rely on them.
Browser settings. You should not assume that every user knows how to configure their browser settings, but you can use them to obtain consent as long as they could indicate that the user consents to the use of cookies. For example, if a user sets up the browser to accept certain types of cookies, it means giving consent for your cookies as well.
Remember that consent is required for data collection for a specific purpose. If you need to use the same data for another purpose, you need to obtain consent for the new purpose.
For example, if you have obtained consent to use analytics cookies, you can collect and process data only for analytics purposes. You must not use that data for marketing. If you want to do so, you just need to collect consent from the user.
In general, you don’t need to obtain consent for the same purpose and the same data repeatedly.
However, if you introduce a new cookie for which you haven't previously obtained consent, make sure you ask for it.
Users must be able to withdraw consent as easily as they gave it to you. That is, you must not conceal the consent withdrawal button from them. Make it a point to keep it in your privacy center.
If they did not initially give you consent but now want to accept your cookies, you can get it by following the rules outlined above - inform them about cookies and collect freely given consent for each purpose separately through their own affirmative action.
You violate data protection laws if you collect and/or process personal data without lawfully obtaining consent. If this occurs, you run the risk of being fined by the ICO.
ICO has provided examples of non-compliant cookie banner examples. As a result, using the practices in cookie banners will result in non-compliance with the ICO cookie guidelines.
This website places non-essential cookies on its landing page. This is not considered valid consent. This is because the website has decided non-essential cookies will be set, and is then seeking the user’s agreement afterwards – but is only providing the user with an option to ‘continue’ rather than a genuine free choice about whether they want to accept or reject the cookies.
(Source: www.ico.org.uk)
A consent mechanism that emphasizes ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ is a non-compliant approach, as the online service influences users to choose the 'accept' option.
Even if the controls are located in a 'more information' section, a consent mechanism that does not allow the user to make a choice is non-compliant.
A cookie banner that is compliant would look like this:
This enables users to reject and accept cookies and the buttons are of equal prominence and are not intended to mislead users. Further, the banner also includes a link to the cookie policy and also includes an option to learn more about each cookie category and customize cookie choices.
Below is the checklist in order to ensure you remain compliant with the ICO cookie guidelines.
▢ Have a cookie consent banner to collect users’ consent to use cookies
▢ Do not place cookies before obtaining consent, except for essential cookies
▢ Have a preference setting to allow users to choose what they consent to
▢ Try not to use cookie walls (use only if a cookie wall is required for accessing specific website content or services, not for general website access)
▢ Provide explicit information about the use of cookies and communicate the purposes through, ideally, a separate cookie policy/declaration for better visibility and simplicity
▢ If your cookie policy/declaration is part of your privacy policy, try to make it more visible by eye-catching text formatting.
▢ Do not use pre-ticked boxes
▢ Don’t use cookies for secondary purposes that you have not obtained consent for
▢ Don’t obtain consent through accepting the Terms of Use of the website
▢ Allow an option to reject the cookies, don’t load any cookies if the user reflects
▢ Obtain consent for each category of processing
▢ Provide “accept” and “reject” options in a similar manner and with equal prominence.
Schedule a call to learn more
ICO Official Website
ICO Cookie Guidelines
Check out the other Cookie Consent Guidelines from other European Data Protection Authorities that you may need to comply with as well;
