• Henry Park

Updated Cookie Guidance

The UK ICO and the French CNIL both released updated guidance on cookies this summer (see ICO July 3 2019 guidance and CNIL July 23 2019 guidance).

A few key takeaways are:

1. The "cookie" guidance covers more than just cookies. It covers any technology that stores or access information on the user's device.

2. "Strictly Necessary" cookies do not require consent.

3. Other than "Strictly Necessary" cookies, consent is required before any cookies are set on the user's device.

4. Cookie consent cannot be bundled into terms and conditions or a privacy notice.

5. You cannot pre-enable non-essential cookies. This means that when you present a user the option to manage their cookies, non-essential cookies should default to "off".

6. You cannot obtain implied consent via the continued use of a website.

For example, the following cookie pop-up notice on a major US newspaper is likely invalid.

First, the notice says that "use of the site" will be taken as consent to the use of cookies. Second, the user is presented with the choice to "Accept" cookies, but the ability to not accept cookies is hidden within the Cookie Policy. Third, in the Cookie Policy, the default position is that the user has opted into non-essential cookies instead of opted out.

Image by Andrew Magill on Flickr licensed under CC BY 2.0.

#cookies #GDPR #privacy