New data protection standards call for care homes to check ‘cookie’ consent

New standards for the use of website ‘cookies’ and similar technologies have been published by the Information Commissioner’s Office.

The Privacy and Electronic Communications Regulations (PECR) also cover an organisation’s access to information stored via such technologies on equipment such as a computer or mobile device.

According to legal firm DLA Piper the General Data Protection Regulation has indirectly imposed higher standards for cookie usage – in particular what constitutes valid consent and transparency.

Care homes with websites using cookies are now advised to conduct a cookie audit, in order to understand the full range of cookies they use, and their purposes, and identify those cookies that require PECR consent. DLA Piper suggests that “in the majority of cases it is likely that remedial work will be required to both the consent mechanism itself, as well as to the underlying cookie policy or notice.”

The firm says the key takeaways for care homes with websites are as follows:

  1.  That consent obtained for the purposes of setting cookies must be ‘consent’ as defined by the GDPR. What this means in practice is:
    1. a clear positive action – continuing to browse the website is not valid;
    2. granularity – the ability to consent to cookies used for some purposes, but not others; and
    3. no pre-ticked boxes or sliders set to ‘on’ – the default option for non-essential cookies must be ‘off’.
  2. A strong indication that, if consent is required to set the cookie under PECR, then consent should also be the lawful basis under the GDPR for the collection of any personal data by the cookie. Obtaining a cookie consent but citing ‘legitimate interests’ as the GDPR basis will in most cases not be possible.
  3. In many cases, consent should also be the GDPR basis for the subsequent processing of personal data after its initial collection by the cookie – particularly if that processing is for the purposes of profiling, behavioural analysis or targeted advertising.
  4. ‘Cookie walls’ (i.e. conditioning access to a site or service on consent to certain cookies) are prohibited if they prevent access to the website in general. However, it may be possible to condition access to specific services on consent to certain cookies.
  5. ‘Settings-led’ or ‘features-led’ consent may be possible – where the choice to use particular settings or features (e.g. choosing local language website version) is integrated with consent to the supporting cookies, provided this is explained clearly.
  6. Subscribers vs. users – in some circumstances, it may be appropriate to accept the cookie preferences of the telecommunications subscriber over those of the user. For example, an employer (the subscriber) mandating particular settings on a work device issued to an employee (the user).
  7. The obligation to provide information about the purposes for which cookies are used must align with GDPR transparency standards (i.e. “concise, transparent, intelligible and easily accessible form, using clear and plain language“). Many cookie policies and pop-up notices will fail this standard.
  8. Companies setting third party cookies (commonly used for advertising (re)targeting and tracking purposes) must be specifically named.
  9. The exemptions from the requirement for cookie consent under PECR become much more significant, given that they represent a ‘safe harbour’ from these stricter requirements. There is helpful, detailed guidance on the types of cookies which may benefit from the ‘communication’ and ‘strictly necessary’ exemptions.
  10. User preferences have a shelf life – after a period of time website operators should re-consent their users. It is unclear how to determine a reasonable period of time in practice.

The ICO has, unsurprisingly, confirmed that its approach to enforcement will prioritise the use of cookies which are perceived to cause a high level of intrusiveness – for which we can read those that support user tracking, advertising and behavioural profiling, rather than those used for general analytics or to improve the look or feel of a website.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By continuing to browse or by clicking "Accept All Cookies" you agree to the storing of first and third-party cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
Cookie Policy
Cookie Settings
Decline All
Accept All Cookies
By continuing to browse or by clicking "Accept All Cookies" you agree to the storing of first and third-party cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.
Cookie Policy
Cookie Settings
Decline All
Accept All Cookies
Cookie Settings
Thank you for visiting, the website for the leading magazine for care home managers, operators and directors. If you would like to receive the digital edition and/or the editor's regular newsletters via email please subscribe here.
Are you a care home staff member or operator?
Terms: Care Home Management (S&A Publishing) may use the information you provide on this form to get in touch with you with relevant industry news and promotions. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us. We will treat your information with respect. For more information please view our privacy policy.
By submitting this form you agree to the terms.