The ICO (Information Commissioner’s Office) has published new guidance on the use of cookies, which now means that pretty much everyone’s website (yours included) is in violation of their guidance. But this is one of those rare instances where I’m not sure if I agree with them. 

Cookies are simple little things but the use of them is getting increasingly complex. The rules on their use are covered in the Privacy and Electronic Communications Regulations (PECR), not GDPR. However, some of PECR’s key concepts are now defined based on GDPR standards – such as the standard of consent. 

To clarify; a cookie is a small piece of data that a website will place on your device to, generally, either make the website work (known as essential cookies) or to enable the website to feedback information about your usage (the non-essential cookies). Most of us are aware of the ‘this website uses cookies’ banner that appears and we all merrily click ‘yes’ because we aren’t really that bothered and digging into the options and selecting stuff is time consuming when we just want to read the page. 

The latest ICO guidance says that opt-in permission needs to be explicitly given (not just by the user clicking “OK”) BEFORE the non-essential cookies are placed, but the vast majority of websites actually place both the non-essential and essential onto a user’s device as soon as they visit the page. For a website to be compliant, the cookie permission banner should now tell you that it is placing the cookies that are essential to the running of a website and then ask you to specifically choose to accept the non-essential cookies that are used to track your usage (that feed Google Analytics or the like). 

Installing non-essential cookies enables a website to use a person’s own computer for their benefit and so permission needs to be granted, it can’t just be taken. These cookies offer no benefit to the user, and so I’m pretty sure that most people won't choose to enable them. This will mean that companies being good and following the advice to the letter will capture almost no analytics data. 

The often used ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard either. 

We are yet to see a company be prosecuted for this violation, but it doesn’t mean that it won’t happen in the future or that a civil class action lawsuit won’t target violators as we’re currently seeing with the Supreme Court ruling on Google’s abuse of cookies in Safari many years ago. 

The ICO says: “Our updated guidance is based on the basic information rights principles of fairness, transparency and accountability. Being fairer, more transparent and accountable to the people who use your website will increase their trust and confidence in you. And that benefits everyone. Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.” 

The flip side of that is that someone has to “pay the piper” - websites need analytics in order to improve the user experience and some need to target advertising to provide better revenue streams. Speaking personally, I’d prefer to see personalised adverts because they are more likely to be relevant to me so the idea of putting more obstacles in the way of this stuff and basically destroying a website’s ability to collect analytic information seems odd. Sure, it might be technically correct to the letter of the law but sometimes those laws aren’t great in practice, in my humble opinion. 

Either way, given that we’re now at the mercy of both ICO prosecutions and potential class action prosecutions - we all need to consider our decisions very carefully.