Opinion
“We’re now at the mercy of both ICO prosecutions and potential class action
prosecutions, we all need to consider our decisions very carefully.”
banner that appears and we all click
‘yes’ because we just want to read the
page, because digging into the options
and selecting boxes is simply too time-
consuming and provides no discernible
benefit.
The latest ICO guidance says that
opt-in permission needs to be explicitly
given BEFORE the non-essential
cookies are placed, but the vast majority
of websites actually place both the
non-essential and essential cookies
onto a user’s device as soon as they visit
the page, along with a cookies message
asking for consent. For a website to
be compliant, the cookie permission
banner should now tell you that it is
placing the essential cookies and then
ask you to specifically choose to accept
the non-essential cookies (the ones that
feed Google Analytics, etc.).
Permission needs to be granted
Strictly speaking (according to The
Privacy and Electronic Communications
Regulations), the reason this has
changed is all to do with permissions
and ownership. Installing non-essential
cookies enables a website to use the end
user’s computer, so permission needs
to be granted by the user - it can’t just
be taken. These non-essential cookies
offer no real benefit to the user, but
most people are nice (or lazy) and often
choose to accept them anyway, which is
good for us.
The message ‘by continuing to
use this website you are agreeing to
cookies’ is not valid consent under the
higher GDPR standard either, because
companies have already placed the
cookies. This is the IT equivalent of
asking for forgiveness rather than
permission.
A warning marketers
In one corner, we have the ICO, and in
the other we have the marketers, who
will want to ensure that their websites
are still using analytics in order to
measure audience engagement, and to
enable targeted remarketing to provide
better revenue streams. So how do we
comply with the ICO guidance? I talked
to the ICO and they were pretty vague
and non-committal, but they didn’t
shoot down my suggestion which is
that every website needs to now have a
very prominent cookie permission box
with two options; option one would
be ‘accept all cookies’, and option
two should be ‘accept only essential
cookies’. The first option could be in a
bright colour, whilst the second is grey
to help steer the consumer to the option
that you’d like them to take - as long as
the options are clearly laid out, then you
will be ok. This box also needs to block
your website and shouldn’t be able to
be bypassed by visiting another page on
the site.
Only after the user has clicked to allow
non-essential cookies can you place
those cookies on their machine.
I’ll be keeping an eye on how the ICO
takes it from here, and weather it builds
on the proactivity already demonstrated
in 2019. Given that we’re now at the
mercy of both ICO prosecutions and
potential class action prosecutions, we
all need to consider our decisions very
carefully.
February — 33