The amended UK regulations provide that cookies may only be placed on machines when the user has given their consent. The only applicable exception to this rule for most website operators is if the cookie is “strictly necessary” for a service requested by the user. While there was not great detail on what is “strictly necessary”, the guidance did provide the following information that might be helpful to get a sense of what is covered:
- Cookies used to implement a shopping cart may fall under the “strictly necessary” exception, if the cookies are necessary to ensure that items selected on previous pages are available during check-out. However, the ICO stressed that this exception is very narrow and would not apply to cookies used to make the website more attractive by remembering users’ preferences.
In addition, the guidance is helpful in the practical considerations provided for acquiring consent to place cookies. For example:
· Although the rules go into effect soon, the ICO recognized that complying with the new rules will be a process and suggested that companies create a realistic plan to achieve compliance. In this regard, companies should prioritize obtaining consent for the most “intrusive” uses of cookies (e.g., creating a detailed profile of a user’s browsing history) before obtaining consent for less intrusive uses of cookies (e.g., collecting aggregate information on unique page views). From an enforcement point of view, the ICO indicated that it would treat companies with a plan to get into compliance “very differently” from a company that decides to not change its current practices.
· The ICO also indicated its belief that most current browser settings are not sophisticated enough to allow a website operator to assume a user has given consent to allow cookies. As a result, it advises that companies use another mechanism to obtain consent for now. In this regard, the ICO acknowledges that website operators may need to use a variety of solutions depending on the nature of the cookies used on their websites. The guidance discusses several different options, including pop-ups or splash pages, tick boxes confirming agreement to new terms and conditions, and it addresses situations where a user’s action, when coupled with proper disclosure, would be sufficient consent.
Interestingly, the guidance did not provide details about how to properly disclose and receive consent for third-party advertising cookies. The ICO suggested that this “may be the most challenging area in which to achieve compliance with the new rules” and indicated that it will continue to work with industry and other European data protection authorities to develop compliant solutions.