The ICO issues detailed guidance on the use of Cookies

‘Cookies’ is the name for the technology used when a user visits a website to store certain information.

Read more Get in touch

The ICO issues detailed guidance on the use of Cookies

Following my recent post which looked at the guidance on the use of cookies issued by the Information Commissioners Office (ICO), here is a more detailed overview.

‘Cookies’ is the name for the technology used when a user visits a website to store certain information including:

  • Remembering what is in a user’s shopping basket
  • Remembering the user’s login details
  • Analysing website traffic
  • Tracking various websites visited by a particular user

The use of cookies is not governed by GDPR but by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) although PECR does run alongside GDPR and some of its core principles are echoed in GDPR.

The ICO has just issued further guidance on the use of cookies by releasing a “myth busting” blog, in order to clarify any misunderstandings around the use of cookies and here are the key points you need to know.

  1. You cannot rely on implied consent – the user must take a clear and positive action to consent to non-essential cookies

How many times do you visit a website where there is no tick box for you to take clear positive action to agree to the use and collection of ‘non-essential’ cookies (the cookies used to analyse your behaviour on a website or cookies used to display certain advertisements relevant to you.

Under GDPR the mechanism for giving consent has to be “freely given, specific, informed and unambiguous.”

The ICO says:

  • your users must take a clear and positive action to consent to non-essential cookies;
  • your websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies;
  • pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies;
  • your users must have control over any non-essential cookies; and
  • non-essential cookies must not be set on landing pages before you gain the user’s consent.

This means it is simply not acceptable to have pre-ticked boxes for non-essential cookies on your website.

  1. Consent is not required for cookies that are “strictly necessary” which are those essential to providing the service requested by the user

Cookies that are strictly necessary and essential to the service being provided by the website do not require consent.

These cookies should not be confused with analytics cookies which some consider to be strictly necessary as they can provide the user with useful information although they don’t play a part in the functionality of the website.

  1. You cannot use a blanket wall to restrict access to your website until the user consents to the cookies – this is not valid consent under the high GDPR standard

Have you visited a website recently where you have been unable to view the content of the website because a blanket/banner has popped up in the way of viewing the site until you have agreed to the use of non-essential cookies or all cookies?

The ICO says that “using a blanket approach such as this is unlikely to represent valid consent. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard.”

This again underlines that under GDPR consent must always be freely given, specific, informed and unambiguous.

  1. You cannot rely on “legitimate interests” as valid consent for non-essential cookies

PECR always requires consent for non-essential cookies. The ICO has made it clear to website providers that legitimate interests cannot be relied upon to set non-essential cookies without a user’s consent.

So how seriously is the ICO taking GDPR breaches?

The simple answer to this question is VERY!

The ICO have recently issued notices of its intention to fine large organisations such as Marriott and British Airways a total of £300m for breaching GDPR. The ICO did have the power to issue a higher fine to these organisations as it’s empowered to issue fines of up to 20 million euros or 4% of the global turnover of the company for the preceding year, whichever is the greater.

This is a stark warning to all organisations holding personal data, that the ICO are investigating non-compliance and issuing fines.

If you would like to make sure your company is fully GDPR compliant or would like to discuss any issues around your approach to protecting your both customer and employee data please call Carys Thompson on 0114 252 1420 or email Carys at 

Share ...
Get in touch