A cookie is a small text file that gets stored on a user's device, such as a computer or smartphone, when they visit a website. This file helps the website recognize the device and remember certain details about the user, like their preferences or previous interactions with the site.
What do we need to do to comply?
Cookie regulations are covered under regulation 6. The main requirements are:
Inform users that cookies are being used.
Explain the purpose of the cookies and how they work.
Obtain the user’s consent before storing cookies on their device.
As long as this information is provided when cookies are first set, it does not need to be repeated every time the same person revisits the site. However, since multiple people may use the same device, it may be a good practice to repeat the notice periodically.
If the way cookies are used changes over time, fresh consent may be necessary.
What else is covered, apart from cookies?
While this guide mainly discusses cookies, regulation 6 also applies to any technology that stores or accesses data on a user’s device. This includes Local Shared Objects, also known as Flash cookies, and various other technologies, such as apps on smartphones, tablets, smart TVs, or other internet-connected devices.
The rules also prohibit spyware and any hidden tracking software that downloads onto a user's device and monitors activity without their consent.
What information must we give users?
The law does not specify exactly what details must be shared with users or how they should be presented. However, the information must be clear and thorough. Users need to understand what cookies (or similar technologies) do and why they are being used.
It is essential that this explanation is easy to find and simple enough for users to understand. People should be aware of the possible effects of enabling cookies. The level of detail and language used should be appropriate for the intended audience.
These transparency requirements align with those set by the GDPR for privacy notices.
What counts as consent?
For consent to be valid, it must be freely given, specific, and informed. It should involve a clear, positive action, such as ticking a box or clicking a link, and the user must fully understand that they are providing consent. Simply mentioning cookies in a privacy policy that is hard to locate, complex, or rarely read does not count as valid consent. Likewise, non-essential cookies should not be placed on a website’s homepage before the user has actively agreed to them.
Consent does not always have to be explicit, but it must be given through a clear action. Users should be fully aware that their actions will result in specific cookies being set, and they must take intentional steps to approve them. Continuing to browse a website without taking any direct action does not qualify as consent. To ensure it is given freely, users must have the option to enable or disable non-essential cookies, and this process should be straightforward.
Extra caution is required when obtaining consent for cookies that collect sensitive personal information, such as health data, or those used for behavioral tracking. The ICO follows a risk-based approach when enforcing these rules, in line with its regulatory policies.
Do we need consent from the subscriber or from the user?
Regulation 6 requires that consent be obtained from either the subscriber or the user.
In practice, it may not always be possible to distinguish between the two. This means that valid consent given by either the subscriber or the user will be considered sufficient.
The regulations do not specify whose preference should take priority if there is a conflict. If a subscriber or user previously provided consent, but the current user of the same device later objects, the most recent choice should be followed. This ensures that the preferences of the current user are always respected, even if the subscriber's original consent is unknown.
Are there any exemptions?
There are two exemptions where consent is not required:
When the cookie is strictly needed for transmitting a communication over an electronic communications network.
When the cookie is essential to providing an online service requested by the subscriber or user, it must be truly necessary for the service to function. Cookies that are useful or convenient but not essential, or those that primarily serve the website owner’s needs, will still require consent.
Consent is generally not needed for:
Cookies that remember items in an online shopping cart or allow users to complete a purchase.
Session cookies that provide necessary security, such as those used in online banking.
Load-balancing cookies that help distribute traffic efficiently to ensure fast page loading.
Even when consent is not required, it is still recommended to inform users about these cookies to maintain transparency.