
Beware the regulators…
Regulators will be clamping down in this area, so it is important for you to know what changes have come about and the practical steps you need to take in order to avoid enforcement action.What’s changed?
The UK Information Commissioner?s Office (ICO) published its updated?guidance on cookies in July 2019 and many other data protection authorities across Europe have been doing the same. The guidance isn?t really that surprising to privacy practitioners. The laws on cookies have actually been in place since 2002 and GDPR, which also applies given cookies involve the processing of personal data, has been in force for over a year.You then need consent for the use of all non-essential cookies. This consent must be obtained before?the cookies are installed. Similarly, there also needs to be a clear ability to reject the cookies and turn them off later.However, because there hadn?t been specific guidance on what the regulators expected from companies and because the old cookie laws have been under review recently, many companies had taken a ?wait and see? approach rather than making significant changes to their cookie strategy and approach.
What’re the rules?
Such an approach is now far riskier, as the regulator has made its position very clear. These rules apply now, and whilst some countries have given companies a transition period to comply with their new guidance (notably, France), the UK hasn?t since it views the guidance really as just clarifying what the law has been for some time. What do I need to do?

- All ?non-essential? cookies
- Analytic cookies such as Google Analytics (but if you are using your own non-obtrusive cookies for matters such as basic web measurement, that is low risk)
- Marketing cookies and pixels
- Personalisation cookies. For example, cookies that personalise the content of services whether by making recommendations or tailoring the experience for that user
- Cookies used to track interactions with email communications. For example, if you use cookies to track who is opening e-newsletters
- Essential security cookies
- Essential e-commerce cookies, for example, those that are needed to remember what a shopper had in their basket
- Cookies required to make the transmission of communication possible
- Load balancing cookies
- Intranet cookies
?How to acquire consent


- There must be a clear affirmative action.?Silence or inaction or wording (regularly seen in currently in cookie notices) along the lines that ?by continuing to use this site you give your consent?, is not valid
- You can?t use default consent settings such as pre-ticked boxes or sliders set to ?on?
- You have to give clear information about the cookies (ie what types/purposes) before they give consent
- You have to provide a means to control the cookies ? ie turn them off.
- You can?t put in place a cookie wall ? ie block users from a site or content until they agree to the cookies
- The consent can?t ?nudge? the individual towards a particular option ? ie emphasising the accept over the reject
- Just putting a link to ?more information? or ?settings? where opt-outs or rejections is explained is not sufficient
Sign up to our newsletter to get the latest from Business Advice.