[Please note this article was published in May 2018, since then the ICO’s approach has changed, with new cookie guidance as explained in this new article]
We’ve been waiting for some time, for the Information Commissioner’s Office (ICO) to publish it’s final consent guidance. It’s been in draft since March last year and waiting on the Article 29 Working Party’s own guidance.
Last week however, they published their final guidance. You can read it here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/.
There’s not many differences from the original draft from last year other than the removal of the time limit on how long consent lasts – they were indicating probably around 2 years, but now they have used more general wording about when it is most appropriate to do so.
They have also updated their cookie guidance to fall into line with GDPR.
Cookies and consent
Now, this is an area that most organisations have probably overlooked. There was a small mention of consent and cookies in the draft guidance and this is still in the final consent guidance too, but essentially where you need consent for cookies (and there are very limited exemptions to cookie consent) that consent will need to be GDPR compliant.
- You can’t use the existing “implied” consent
- You must set out clearly what cookies you are using
- You must be able to demonstrate that consent for cookies was given
In the cookie guidance from the ICO it is noted “The ICO will take a risk-based approach to enforcement in this area, in line with our regulatory action policy” which may indicate some levity unless you’re collecting personal data (particularly special categories of personal data), so maybe we’ll see what comes of any enforcement in this area. That said, if you’re using cookies that track behaviour (which could include things like Hubspot’s functionality for building up a profile of inbound marketing leads) you are potentially at risk from non-compliance…