July 12, 2019

UK ICO Releases New Guidance on Cookies and Other Tracking Technologies

The UK’s Information Commissioner’s Office (“ICO”) released expanded guidance on the use of cookies and similar tracking technologies, and the obligations of companies that employ those technologies under the  Privacy and Electronic Communications Regulations (“PECR”) and the General Data Protection Regulation (“GDPR”).  The ICO’s guidance is intended to address and clarify some important interpretative questions that have arisen since the GDPR went into effect in May 2018.  Most notably:

  • The guidance makes it clear that ICO considers “opt-out” consent mechanisms for placing cookies on user devices to be insufficient for situations where consent is required; only affirmative, unambiguous, freely-given consent passes muster.  
  • The guidance casts significant doubt over whether the use of cookie walls – i.e., not allowing users into certain areas of a website until she consents to the use of cookies – represents valid consent.  Additional guidance on this point may be forthcoming.
  • The guidance interprets the exceptions to the consent rule very narrowly, potentially expanding the number and types of cookies for which companies are required to acquire consent from users.

The ICO suggests that companies should undertake a “cookie audit” – identifying each cookie, its purpose, its type, whether it is non-essential, etc. – and document its findings and any remedial actions it takes based on those findings.  The ICO appears to be signaling that the use of cookies (and similar tracking technologies) may be an enforcement priority in the near future, but that companies have an opportunity now to review and, as necessary, revise their cookie practices before that enforcement ramps up.

ICO guidance