ICO publish consent guidance and update cookie consent rules

We’ve been waiting for some time, for the Information Commissioner’s Office (ICO) to publish it’s final consent guidance. It’s been in draft since March last year and waiting on the Article 29 Working Party’s own guidance.

Last week however, they published their final guidance. You can read it here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/.

There’s not many differences from the original draft from last year other than the removal of the time limit on how long consent lasts – they were indicating probably around 2 years, but now they have used more general wording about when it is most appropriate to do so.

They have also updated their cookie guidance to fall into line with GDPR.

Cookies and consent

Now, this is an area that most organisations have probably overlooked. There was a small mention of consent and cookies in the draft guidance and this is still in the final consent guidance too, but essentially where you need consent for cookies (and there are very limited exemptions to cookie consent) that consent will need to be GDPR compliant.

This is a significant change for most organisations that are using cookies. Essentially if you are using non-essential cookies (e.g. for Google Analytics) you need to now get GDPR compliant consent to continue to use them. So, if like most businesses, you are using the generic “we use cookies, read about it in our cookie policy and click OK to say you are happy for us to use cookies (or turn them off in your browser)” wording, you will not be compliant come the 25th May as your cookie consent now needs to be GDPR compliant, meaning:

  • You can’t use the existing “implied” consent
  • You must set out clearly what cookies you are using
  • You must seek positive opt-in to use cookies meaning you will need to make sure you provide an option to website visitors to opt-in to your use of cookies (the cookie guidance says “To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do“)
  • You must be able to demonstrate that consent for cookies was given

In the cookie guidance from the ICO it is noted “The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy” which may indicate some levity unless you’re collecting personal data (particularly special categories of personal data), so maybe we’ll see what comes of any enforcement in this area. That said, if you’re using cookies that track behaviour (which could include things like Hubspot’s functionality for building up a profile of inbound marketing leads) you are potentially at risk from non-compliance…