The ICO has updated guidance around the use of cookies

It’s been a long time coming, but the ICO has finally published its long-awaited Cookie Guidance Policy. While they may be guidelines, there is also a legal obligation to comply. It is the Regulators official new guidance on their interpretation of the legislation and the courts will take notice of it…

This means that your existing Cookie Policy may well need updating.

Here are some of the most important updates to the ICO’s cookie guidelines:

Not all cookies are equal:

Some cookies are essential for a website to operate, if a cookie is essential and ‘necessary’, then you need to be transparent about their presence, but permission to use is not required. However, any cookie which is not strictly ‘necessary’ to the operation of the site, for example Google Analytics, well, for these you need permission to use.

You must not rely on implied consent:

Up until now, it was acceptable for websites to have users agree to ‘implied consent’. This meant having a line in their Cookie Policy which read something to the effect: “By continuing to browse this website, the user consents to the use of cookies”. This is no longer permitted, and an affirmative opt-in action is now required for non-essential cookies.

Supply more detailed cookie-usage information:

Not only must users actively opt-in, usually with a tick-box, link or pop-up, but they must also have access to all information about the cookies that your site uses.

At the moment, the majority of sites have a link on it somewhere with the words ‘Cookie Policy’ that users can choose to click on to access further information. However, the guidance now states that websites need to make it clearer what information this link provides.

Third parties must be made obvious and avoidable:

Third party companies must also be clearly named (such as Facebook pixels) and should explain how these third parties use any information gathered through cookies. This includes Google Analytics or any other tracking tool. If users do not opt-IN to use Google Analytics, then you cannot record time spent on pages. The Regulator argument here is that your website functionality is not affected by analytics as such and therefore, they are not essential.

Your chosen cookie consent mechanism must enable users to refuse cookies from your third parties, if this isn’t possible through your mechanism then you simply shouldn’t use third party cookies.

You must not try to influence your users:

Pre-ticking boxes that say ‘Allow’ ‘Agree’ or ‘Accept’, or using sliders set to ‘On’ is influencing the user and is no longer permitted. ‘Accept all’ on permission walls should be used with caution – for example, only if options are on one page with a clear link to a cookie policy explaining what they do. The number of options should be limited too. Similarly, all buttons and options must be the same size so as not to influence the user’s decision.

Do not block users from accessing your content who have denied cookies:

If a user chooses to deny the use of cookies, you are not permitted to deny them from accessing any of your website content. Cookie consent must be “freely given” and changing accessibility to content goes against this rule.

If you’re worried about your Cookie Policy breaking any of these updated GDPR laws and guidelines, then get in touch with our team. We are specialists, so we can help to keep your company, your clients, and your reputation safe.

Call us on 01673 88 55 33 for more information today.

How do I measure GDPR compliance?

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.










This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.