• English
    • Deutsch
  • Login
  • Customer Support
Consent Management Platform
Consent Management Platform (CMP) Usercentrics
  • Software
    • Consent Management
      • for websites and platforms
        for websites and platforms
      • for native applications
        for native applications
      • for AMP websites (Beta)
        for AMP websites (Beta)
    • Products
      • Smart Data Protector
        Smart Data Protector
      • Dynamic Privacy Policy
        Dynamic Privacy Policy
    • By Regulation
      • GDPR - EU law
        GDPR – EU law
      • CCPA - Californian law
        CCPA – Californian law
      • TCF 2.0 - IAB certification
        TCF 2.0 – IAB certification
    • By Role
      • Publishers
        Publishers
  • Resources
    • Services
      • Hire a Service Partner
        Hire a Service Partner
      • Partner Network
        Partner Network
      • Support
        Support
    • Education
      • Knowledge Hub
        Knowledge Hub
      • Whitepapers, Videos & More
        Whitepapers, Videos & More
      • Webinars
        Webinars
    • Developers & Partners
      • Developer Documentation
        Developer Documentation
      • Partner Programs
        Partner Programs
    • Why Usercentrics?
      • Case Studies
        Case Studies
  • About
    • Who we are
    • Careers (28)
    • Press
    • Events
    • Tech that talks
    • Partner
  • Careers (28)
  • See Pricing Plans
  • Menu
GDPR & Cookies
August 13, 2020 | 5 min read

Brexit and the ICO Guidelines on Cookie Consent: How to be compliant after the transition period

Resources
Knowledge Hub
Brexit and the ICO Guidelines on Cookie Consent: How to be compliant after the transition period

Table of contents

Show more Show less

The end of the Brexit transition period is quickly approaching – and publishers are wondering if their data strategy will still be compliant with the law in 2021. Our guide will advise you what to consider and how to adapt to the new requirements.

Important to know: During the transition period, EU law (including the GDPR) continues to apply directly to the UK, and the UK will be treated as if it were a member state for the purposes of that law. After the transition period, the UK government will implement the GDPR into UK national law (creating a “UK GDPR”).

In July 2019, the Information Commissioner’s Office (ICO), the local data protection authority in the United Kingdom, issued its Guidelines on Cookie Consent which need to be considered by publishers using cookies and similar technologies on their websites for advertising purposes. 

Although the ICOs’ requirements on Cookie Consent are very similar to the ones effective in the rest of the EU, there are some small but significant differences worth knowing to get ready for 2021 as the transition period ends on December 31, 2020. 

Here are the most important specifications as stated in the ICO Guidelines. 

What clarification is given on the distinction between first-party and third-party cookies?

In contrast to the German Datenschutzkonferenz (DSK) which does not give an indication in this respect, ICO distinguishes between first-party-cookies (set directly by the website that the user visits) and third-party-cookies (cookies that are set by a domain other than the one visited by the user). 

How the user should be informed:

Regardless of the classification as a third- or first-party-cookie, the information must also include all information required under the GDPR’s transparency requirements. The user must be informed about each of the cookies set. Minimum information is therefore: 

  • details of the cookies you intend to use
  • duration of the cookies 
  • the purpose for which you intend to use the cookie

The Information should be clear and comprehensible but at the same time as user-friendly as possible. 

Also, if applicable, third-party-cookies need to be listed and their use has to be explained.Therefore, any information provided to users on third-party cookies should be clear and highlighted in a prominent place. 

According to the ICO, the user must be informed about the use of cookies, when he or she first visits the service. A more detailed description of the cookies used and all necessary information can be provided in the privacy or cookie policy. A link to the policies has to be provided together with the information on the homepage of the respective  service. The ICO is suggesting a wording as follows: “Find out more about how our site works and how we put you in control”.

How should consent be implemented? 

The requirements for implementation in the UK are the same as for the rest of the European Union under the GDPR .  For consent to be valid it must be freely given, informed, specific and unambiguous. The consent requires an affirmative opt-in to ensure that it is not ambiguous.

Special attention must be given to the following: 

  • Do not use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent. Scrolling and continuing to use the website can not be considered as valid consents. 
  • Refusing should not disable the access to the site. Moreover, the options to accept and to refuse need to be presented the same way. 
  • According to the ICO, the user must be able to consent to specific purposes. The controller needs to provide granular options to consent separately for different  purposes, unless this would be unduly disruptive or confusing. 
  • Cookies and other tracking technologies must not be pre-loaded but be blocked until the user has given his or her consent to the processing of the data. 

There are two exceptions where no consent has to be obtained as other legal bases apply the communications exemption and the strictly necessary exemption. Under the communications exemption consent isn’t required when the cookies are necessary for the sole purpose of carrying out the transmission of the communication over an electronic communications network. The strictly necessary exemption doesn’t require consent for cookies that are strictly necessary to provide an Information Society Service explicitly requested by the subscriber or user.

Guidance in regards to withdrawal of the consent 

Withdrawing consent has to be made as easy as giving it. Information about how to withdraw consent and how to remove cookies has to be provided and the consent has to be renewed when there are changes in the processing. 

Further Guidance of the ICO: 

  • The consent requests should be kept separate from other terms and conditions. To keep evidence of the consent (“who, when, how, and what you told people” – which is documented via a Consent Management Platform (CMP) is very important to comply with Art. 7 GDPR. 
  • A website owner should avoid requiring consent for processing as a precondition to use their service.
  • Analytical cookies are not to be classified as strictly necessary technologies and the affirmative consent of the user is necessary to get a legal base for the processing of data.
  • The implementation of so-called “Cookie Walls” is not advised by the ICO as this may be considered as inappropriate in some circumstances when the user is forced to make a decision. When using a cookie wall consent wouldn’t be freely given. In some circumstances it might however be accepted that a cookie wall is implemented for specific website content. This means that the cookie wall can’t block access to the website in general, but only to specific content, depending on the circumstances and if there is a legitimate interest.

For more info on the general use of cookies and similar technologies, see the ICOs FAQ section.

Is Usercentrics compliant with the ICO requirements? 

Usercentrics complies with all the requirements set by the ICO – with only one exception: 

Usercentrics can’t provide information about the lifespan of the set cookies since each website owner can manually set a lifespan for their cookies. The information does not have to be provided on the first layer though (when first visiting the service). The website owner can reach full compliance with the requirements of the ICO by providing all necessary information about cookies, including the lifespan of cookies, for example, in the privacy policy. 

 

Authors: Carolin Weißofner & Theodora Zamanakou, Legal Team Usercentrics

DISCLAIMER

The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department.

These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.

Related Articles

5 Tips for Handling Cookies Correctly in Live Chat Supportlive-chat_userlike
November 23, 2020
6 min read
GDPR & CookiesUsercentrics Best-Practices

5 Tips for Handling Cookies Correctly in Live Chat Support

Cookies aren’t just for tracking user behavior and displaying ads. They’re part of nearly every online tool, such as...

Read more
GDPR Cookies Checklist: Your Toolkit for ComplianceGDPR Checklist | Usercentrics
July 2, 2020
3 min read
ePrivacy & Privacy PolicyGDPR & Cookies

GDPR Cookies Checklist: Your Toolkit for Compliance

Uncertain about how to become compliant with GDPR and the ePrivacy Directive? We’re here to help. Future-proof your marketing strategy...

Read more
Cookie Walls can’t be legally forbidden French CNIL saysUsercentrics GmbH
June 29, 2020
2 min read
GDPR & Cookies

Cookie Walls can’t be legally forbidden French CNIL says

On 19 June 2020, in response to complaints filed, the Conseil d’État (‘the French Council’ and highest administrative court)...

Read more

Next Steps

Scan your website

Scan your website

Check your privacy compliance
Request a demo

Request a demo

Schedule for free
Get started

Get started

See our pricing

Legal Update

Always up-to-date: With our legal update, we keep you up to date with the latest trends around data protection.

Products

  • Website Consent Management
  • CMP for Publishers
  • Mobile App Consent
  • Dynamic Privacy Policy
  • Smart Data Protector
  • AMP Consent Management (closed beta)

Resources

  • Whitepaper
  • Case Study
  • On Demand Webinars
  • Live Webinars
  • Knowledge Hub
  • RFI Template
  • Videos
  • FAQ
  • Developer Documentation

About Us

  • Who we are
  • Career
  • Press
  • Events
  • Contact

Our Mission

Helping companies to achieve compliance in harmony with their marketing strategy.

Legal

  • Legal Notice
  • Privacy Policy
  • Terms and Conditions

Address

Usercentrics GmbH
Sendlinger Straße 7
80331 Munich
Germany
V.20 Vendor badge MASTER

© Copyright 2021 Usercentrics

This website and all services provided by Usercentrics are not intended for users and companies outside of the European Union, U.K. or Switzerland.

TCF 2.0 FAQs: all answers at a glance FAQs TCF 2.0FAQs TCF 2.0 GDPR_PolandGDPR_Poland Poland: New data protection regulations including consent under GDPR
Scroll to top