ICO cookie rules, COVID-19 and what it all means

We are living through exceptional times, and thinking about whether your website cookie policy is compliant is probably quite low down on your priority list.

Fortunately, if you haven’t already updated the cookie policy on your website in line with the latest ICO rules, you still have enough time to make your website compliant. Phew!

In response to the global health pandemic COVID-19, the ICO has suggested a degree of flexibility will be given to organisations around compliance of the cookie rules. They have acknowledged the current health situation with a pragmatic and empathetic response. You can read that response from the ICO here.

This will come as good news for charities and not-for-profit organisations in the short-term. Now that you can relax a little, we’ll explain why the rules are important, how cookies impact your website and users, and what you need to do.

What are cookies?

Cookies are small files that might be downloaded to your computer when you visit a website. They help to remember bits of information that the website can use to identify your preferences.

The first type of cookies is ‘necessary cookies’. These are required by the website to remember data about you and ensure the website works as intended. Examples of these might be remembering log-in details or what you’ve put in your shopping basket. You can’t turn these cookies off, as the website may stop working.

Next are the analytics cookies, which collect and report on how you use a website, such as recording the number of people visiting, how long they browse and which pages they visit. This data is anonymised – you can’t be personally identified by the information gathered. Websites collect this data to see how people use their site, which allows them to make improvements with the aim of helping you use the site more effectively.

The final type is marketing cookies. These allow companies to track the websites and content you visit across the internet, sharing the data for advertising purposes. These cookies are used to build up a profile about you and your interests that can be used by any affiliated site to suggest content or products that you may be interested in. The combination of data collected may be able to personally identify you.

Who is the ICO and what are their rules on cookies?

The Information Commissioner’s Office (ICO) is the UK’s independent body for upholding information rights in the UK. They set and enforce the rules on privacy and electronic communications. In July 2019, the ICO published new rules around the use of websites cookies. You can read the rules here. Their guidance states that organisations must provide “clear and comprehensive information” about how an organisation uses cookies on its website.

The new guidance makes an important distinction between types of cookies and how they should be handled.

Essential and non-essential cookies

Cookies are considered essential if they are ‘strictly necessary’ for the website to function. For example, cookies that load pages correctly or that protect customers’ online bank details.

Non-essential cookies include analytics and marketing cookies. These can help you collect useful data on your website users, but this information isn’t essential for the website to function.

What do the rules say?

If a cookie isn’t essential – users must consent to its use before it can run on the website. This has several consequences:

  1. When users first access a website, ‘non-essential’ cookies must be turned off. The user has to opt-in to their usage.
  2. When users are asked to accept or reject ‘non-essential’ cookies, neither option can be privileged over the other.
  3. If users don’t opt-in to ‘non-essential’ cookies, they must still be given access to the website.

What this means for your website

At the moment many websites adopt blanket policies, lumping essential and non-essential cookies together. Cookies are already active when users first arrive at a website, and if they refuse cookies, they are often blocked from accessing the website.

This approach is not permitted under the new rules so many cookie policies need updating. The ICO has made it clear that ‘cookie compliance will be an increasing regulatory priority’ – this includes enforcement and potential fines for breaching the rules.

Next steps

As mentioned, the exceptional circumstances presented by COVID-19 should give you some more time to implement the changes needed to make your cookie policy compliant. The ICO is operating with more flexibility at the moment, which gives you some breathing space to take the necessary steps.

These new rules have potentially far-reaching implications. If you’re unsure how they might affect your website, we can guide you through any changes that need to be made for your website.

Fat Beehive can’t offer legal advice, but if you’d like to discuss your options and our approach, feel free to contact them on [email protected] and they’d be happy to chat!