99% of all websites are now in violation of ICO Guidance
Simon Clayton, chief ideas officer at RefTech, says that running a website just got that bit harder
Cookies are simple little things but the use of them is getting increasingly complex. The rules on their use are covered in the Privacy and Electronic Communications Regulations (PECR), not GDPR. However, some of PECR’s key concepts are now defined based on GDPR standards – such as the standard of consent.
The latest ICO guidance says that opt-in permission needs to be explicitly given (not just by the user clicking “OK”) BEFORE the non-essential cookies are placed, but the vast majority of websites actually place both the non-essential and essential onto a user’s device as soon as they visit the page. For a website to be compliant, the cookie permission banner should now tell you that it is placing the cookies that are essential to the running of a website and then ask you to specifically choose to accept the non-essential cookies that are used to track your usage (that feed Google Analytics or the like).
Installing non-essential cookies enables a website to use a person’s own computer for their benefit and so permission needs to be granted, it can’t just be taken. These cookies offer no benefit to the user, and so I’m pretty sure that most people won't choose to enable them. This will mean that companies being good and following the advice to the letter will capture almost no analytics data.
The often used ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard either.
The ICO says: “Our updated guidance is based on the basic information rights principles of fairness, transparency and accountability. Being fairer, more transparent and accountable to the people who use your website will increase their trust and confidence in you. And that benefits everyone. Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.”
The flip side of that is that someone has to “pay the piper” - websites need analytics in order to improve the user experience and some need to target advertising to provide better revenue streams. Speaking personally, I’d prefer to see personalised adverts because they are more likely to be relevant to me so the idea of putting more obstacles in the way of this stuff and basically destroying a website’s ability to collect analytic information seems odd. Sure, it might be technically correct to the letter of the law but sometimes those laws aren’t great in practice, in my humble opinion.
Either way, given that we’re now at the mercy of both ICO prosecutions and potential class action prosecutions - we all need to consider our decisions very carefully.