Data Protection Network | ICO cookie guidance and the impact on website analytics

Cookie guidance updated

Last week, the ICO published their updated guidance on the use of cookies and other similar technologies. This is to be welcomed as there were some perceived areas of ambiguity that would sometimes cause confusion. The ICO have also published a useful myth-busting blog which provides some clarity around these misconceptions.

It’s interesting to see confirmed that GDPR level informed consent is required to drop a ‘non-essential’ cookie regardless of what it does and what information it collects. The old concept of implied consent is dead.

What’s changed?

The so-called “cookie law” of 2011, required ‘consent’ to drop any ‘non-essential’ cookies regardless of whether personal data was collected or not. To be clear, the concept of “non-essential” cookies is not a new one. The ICO’s 2012 guidance on cookies said implied consent (i.e. an opt-out rather than an opt-in) was permitted; “Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.”

As we all are more than aware, GDPR upped the bar on what constitutes valid consent and the ICO’s latest guidance confirms; “There is no definition of consent given in PECR or in the ePrivacy Directive; instead, the GDPR definition of consent applies”. Users must therefore take, in the words of the Regulator; “a clear and positive action to consent to non-essential cookies” and “pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies”.

This could not be clearer.

So, what’s an essential cookie?

An essential cookie is one that’s ‘strictly necessary’ for the functioning of your online service, not one that is ‘important’. The ICO guidance states: “The ‘strictly necessary’ exemption means that storage of (or access to) information should be essential, rather than reasonably necessary. It is also restricted to what is essential to provide the service requested by the user. It does not cover what might be essential for any other uses that you might wish to make of that data. It is therefore clear that the strictly necessary exemption has a narrow application.”

The guidance stresses that where a cookie is deemed ‘important’ rather than ‘strictly necessary’, there is a requirement to obtain consent. The ICO offers some helpful clarification of what would constitute essential e.g.

A cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket
Cookies that are essential to comply with the GDPR’s security principle for an activity the user has requested – for example in connection with online banking services
Cookies that help ensure that the content of a page loads quickly and effectively by distributing the workload across numerous computes (this is often referred to as ‘load balancing’ or ‘reverse proxying”)

Analytics cookies are not essential

The ICO guidance also provides the following example of non-essential cookie:

Cookies used for analytics purposes e.g. to count the number of unique visitors to a website

The Regulator says it recognises that analytics provide businesses with useful information but say they’re not part of the functionality that a user requests when they use an online service. It’s stated, “if you didn’t have analytics running, the user could still be able to access your service. This is why analytics cookies aren’t strictly necessary and so require consent.”

What does this mean for business?

While many might have already concluded this is what 100% compliance would require, this may have come as a nasty shock to those businesses who have not yet worked through the implications of this clarification. All website operators need to review their cookie consent notices even if all they were doing was managing anonymised cookie data to review overall website traffic patterns and popularity of individual pages. Even for basic analytics cookies, which may collect limited or no personal data at all, businesses will have to switch to an active opt-in to be compliant. If they cannot secure cookie consent, businesses are going to have to think again about how to understand how their sites perform with their customers.

One might argue that businesses have spent significant time and money creating a website or app using analytics to fine tune their content to be relevant and interesting for their audience. And, of course, this is precisely the case that businesses need to make to consumers in an open and transparent way to gain informed consent. If the consumer can see what’s in it for them, they will consent because what the consumer wants is control and a balanced value exchange between themselves and business.

Are there non-cookie tracking alternatives?

In short, yes. Web logs are likely to be your first port of call where you’ll be able to see volumes of traffic hitting individual pages. This data will obviously be anonymous and it will be difficult to establish unique users but you should be able to track the most important performance metrics.There is also a growing market for privacy sensitive technical solutions that don’t drop cookies. These include Fathom, Matomo and Simple Analytics. I’ve never used them and I’m not endorsing them but it’s clear there is a movement starting towards a different way of analysing website traffic.

Julia Porter, July 2019

DPN Data Protection Services

Copyright DPN

The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.