The UK’s Information Commissioner's Office (ICO) has set clear guidelines for website operators regarding cookie consent under the Privacy and Electronic Communications Regulations (PECR). Following these guidelines is not only a legal necessity in the UK but also a way to build trust with your end-users.
In this article, we will provide an overview of the core principles of a consent message that is compliant with the UK ICO's guidelines and how the Sourcepoint platform can be leverage to support that compliance. Review the following sections to learn more about the UK ICO guidelines:
- Requirement for valid consent: Freely given, specific, informed, and unambiguous
- Right to refuse and withdraw consent
- Record keeping and accountability
Requirement for valid consent: Freely given, specific, informed, and unambiguous
The ICO, in line with GDPR standards, mandates that consent must be a freely given, specific, informed, and unambiguous indication of the user's wishes. This is the foundation of a compliant consent banner.
| Standard | Description |
| Freely given | End-users must have a genuine choice and the consent message cannot present a “take it or leave it” ultimatum where access to the website is denied if they do not consent. |
| Unambiguous | Implied consent (e.g., "by continuing to use this site, you agree to cookies") is not valid. End-users must take a clear, affirmative action to signal their consent. |
| Specific and informed | End-users need to know exactly what they are consenting to. This requires providing clear information about the types of cookies your organization is using and their purpose. |
The above standards are all supported within the Sourcepoint platform and should be adhered to when configuring ICO compliant messages.
Right to refuse and withdraw consent
The ICO emphasizes that it must be as easy for an end-user to refuse consent as it is to accept it. It is also a fundamental right for end-users to withdraw their consent at any time.
| Standard | Description |
| Equally easy to accept and reject | Your organization's consent message must not make it more difficult or time-consuming to reject cookies than to accept them. For instance, a single-click Accept All button should be accompanied by a single-click Reject All or Continue without accepting button on the first layer of the banner. |
| Easy withdrawal | End-users must be able to change their mind at any time. A compliant consent message includes a persistent link or icon (such as a Privacy Settings link in the footer) that allows end-users to easily re-open the consent message and update their choices. |
As a convenience, Sourcepoint provides a system template for clients called UK ICO IAB TCFv2 with the above set-up configured.
Additionally, as with any message on the Sourcepoint platform, your organization can add a code snippet onto your page or mobile project to resurface your consent message so that end-users can update their choices.
Record keeping and accountability
The ICO expects organizations to demonstrate accountability by keeping records of consent and this is a core function of a CMP.
| Standard | Description |
| Proof of consent | When your organization uses the Sourcepoint platform for consent messages, we automatically collect and store a secure, time-stamped record of each end-user’s consent decision. This includes the specific date, time, and choices made. |
| Audit trail | This data provides a complete audit trail, which can be essential for proving compliance to the ICO in the event of an inquiry or complaint. |
Comments
0 comments