In short, and irrespective of whether or not the website is processing any personal data, a website is only allowed to set a cookie on a user’s device if it is:
- strictly necessary; or
- the user of the website has given its consent.
If personal data is being processed on the website then the normal rules of the GDPR will also apply.
A “strictly necessary cookie” has a high threshold and is where a cookie is either (i) necessary for technical purposes to allow a communication to take place; or (ii) to provide a service the user has requested. Common examples of “strictly necessary” cookies are session cookies used to create a shopping basket, or a security cookie for a requested service.
What does this mean in practice?
- Cookie Walls – the lawful use of cookie walls by websites will be difficult and require careful thought. Blanket approaches, e.g. “by continuing to use this website you are agreeing to cookies” will not be valid as consent must be “freely given.”
- Analytics Cookies –the use of analytics cookies is not strictly necessary and requires users’ consent.
- Third Party Cookies – the use of third party cookies will invariably almost always require consent (especially adtech and social media cookies). This raises difficult questions over who is responsible for obtaining the consent (i.e. the website owner or the third party operator) and how it can lawfully be obtained. It also will require third parties to be explicitly named, and an explanation of how the third party uses those cookies will need to be provided to the user. This is a complex area, and further light may be shed on how websites should approach this issue of compliance at the conclusion of the ICO’s investigation into the adtech sector.