Until recently, for most of us, cookies were something best enjoyed fresh out of the oven and with plenty of chocolate chips. However, with the commencement of GDPR this month and the race for compliance, you can’t visit the most basic website without being flashed with a cookie policy or banner.
Interestingly, cookies are only referred to once in the entire GDPR, Recital 30, though it is an important inclusion as it associates cookies with natural person identifiers and, as such, catagorises cookies as personal data under the remit of GDPR protection.
Until 25 May 2018 the use of cookies was regulated under a 2009 amendment to The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), more catchily known as the “Cookie Directive” (disappointingly, not a chocolate chip in sight). There is some difference of opinion in the privacy community whether the Cookie Directive is now overruled by the GDPR or simply incorporated in it. Buried in GDPR itself in Article 95 (of 99), PECR is mentioned and its relationship with GDPR is set out. In that Article it states that GDPR will not impose any additional obligations over and above those in PECR in relation to “provision of publicly available electronic communications services”. This appears to revalidate PECR (and, by extension, the Cookie Directive”) as still in force.
Some of the most talked about provisions of GDPR are that of consent. Consent needs to be “a clear affirmative action … freely give, specific, informed and unambiguous” (Recital 32). GDPR explicitly states that, “Silence, pre-ticked boxes or inactivity should not therefore constitute consent”.
This is set out clearly on the ICO website, “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.” Now here is where it can be a bit confusing. Whilst reading this very clear guidance, if one hovers over the bottom left corner of the page (or any page on the ICO website) on the attractive little star cookie icon the following pop up (it's http://civicuk.com/cookie-control, their copyright etc, a tool many of our clients use on their sites) appears:
As far as default consent goes that pretty much takes the biscuit (apologies).
Don’t worry, the ICO haven’t turned their back on privacy or failed to become GDPR compliant (unlike others, yes EU commission we are referring to you). A closer look at the ICO’s cookie policy reveals that the cookies used are rather impersonal, some collect anonymous data, others are session cookies that delete when someone closes the browser. Unsurprisingly, there are no marketing cookies or others that are more intrusive. Under the Cookie Directive, you don’t need a positive affirmative action to consent to this level of cookies. The cookie pop up the ICO is using is in-line with standards outlined. It therefore appears that, to the ICO at least, the Cookie Directive is still in force and not overruled by the more general rules on consent in GDPR. Though, it would be interesting to take note if all websites who have similar pop ups, and this seems to be one of the most popular types, have cookies that are as innocuous.
As GDPR compliance rolls out, it will be interesting to see whether member state legislation will fill in the gap and either directly incorporate the Cookie Directive or not.
[1] GDPR Recital 32