Brexit and the ICO Guidelines on Cookie Consent: How to be compliant after the transition period

The end of the Brexit transition period is quickly approaching – and publishers are wondering if their data strategy will still be compliant with the law in 2021. Our guide will advise you what to consider and how to adapt to the new requirements.

In July 2019, the Information Commissioner’s Office (ICO), the local data protection authority in the United Kingdom, issued its Guidelines on Cookie Consent which need to be considered by publishers using cookies and similar technologies on their websites for advertising purposes. 

Although the ICOs’ requirements on Cookie Consent are very similar to the ones effective in the rest of the EU, there are some small but significant differences worth knowing to get ready for 2021 as the transition period ends on December 31, 2020. 

Here are the most important specifications as stated in the ICO Guidelines. 

In contrast to the German Datenschutzkonferenz (DSK) which does not give an indication in this respect, ICO distinguishes between first-party-cookies (set directly by the website that the user visits) and third-party-cookies (cookies that are set by a domain other than the one visited by the user). 

Regardless of the classification as a third- or first-party-cookie, the information must also include all information required under the GDPR’s transparency requirements. The user must be informed about each of the cookies set. Minimum information is therefore: 

• details of the cookies you intend to use
• duration of the cookies 
• the purpose for which you intend to use the cookie

The Information should be clear and comprehensible but at the same time as user-friendly as possible. 

Also, if applicable, third-party-cookies need to be listed and their use has to be explained.Therefore, any information provided to users on third-party cookies should be clear and highlighted in a prominent place. 

According to the ICO, the user must be informed about the use of cookies, when he or she first visits the service. A more detailed description of the cookies used and all necessary information can be provided in the privacy or cookie policy. A link to the policies has to be provided together with the information on the homepage of the respective  service. The ICO is suggesting a wording as follows: “Find out more about how our site works and how we put you in control”.

The requirements for implementation in the UK are the same as for the rest of the European Union under the GDPR .  For consent to be valid it must be freely given, informed, specific and unambiguous. The consent requires an affirmative opt-in to ensure that it is not ambiguous.

Special attention must be given to the following: 

• Do not use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent. Scrolling and continuing to use the website can not be considered as valid consents. 
• Refusing should not disable the access to the site. Moreover, the options to accept and to refuse need to be presented the same way. 
• According to the ICO, the user must be able to consent to specific purposes. The controller needs to provide granular options to consent separately for different  purposes, unless this would be unduly disruptive or confusing. 
• Cookies and other tracking technologies must not be pre-loaded but be blocked until the user has given his or her consent to the processing of the data. 

There are two exceptions where no consent has to be obtained as other legal bases apply the communications exemption and the strictly necessary exemption. Under the communications exemption consent isn’t required when the cookies are necessary for the sole purpose of carrying out the transmission of the communication over an electronic communications network. The strictly necessary exemption doesn’t require consent for cookies that are strictly necessary to provide an Information Society Service explicitly requested by the subscriber or user.

Withdrawing consent has to be made as easy as giving it. Information about how to withdraw consent and how to remove cookies has to be provided and the consent has to be renewed when there are changes in the processing. 

Further Guidance of the ICO: 

• The consent requests should be kept separate from other terms and conditions. To keep evidence of the consent (“who, when, how, and what you told people” – which is documented via a Consent Management Platform (CMP) is very important to comply with Art. 7 GDPR. 
• A website owner should avoid requiring consent for processing as a precondition to use their service.
• Analytical cookies are not to be classified as strictly necessary technologies and the affirmative consent of the user is necessary to get a legal base for the processing of data.
• The implementation of so-called “Cookie Walls” is not advised by the ICO as this may be considered as inappropriate in some circumstances when the user is forced to make a decision. When using a cookie wall consent wouldn’t be freely given. In some circumstances it might however be accepted that a cookie wall is implemented for specific website content. This means that the cookie wall can’t block access to the website in general, but only to specific content, depending on the circumstances and if there is a legitimate interest.

For more info on the general use of cookies and similar technologies, see the ICOs FAQ section.

Usercentrics complies with all the requirements set by the ICO – with only one exception: 

Usercentrics can’t provide information about the lifespan of the set cookies since each website owner can manually set a lifespan for their cookies. The information does not have to be provided on the first layer though (when first visiting the service). The website owner can reach full compliance with the requirements of the ICO by providing all necessary information about cookies, including the lifespan of cookies, for example, in the privacy policy. 

Authors: Carolin Weißofner & Theodora Zamanakou, Legal Team Usercentrics

DISCLAIMER

The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department.

These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.