The UK’s Information Commissioner’s Office (ICO) upholds data and information rights for the public within the United Kingdom. The ICO’s role is to both promote openness within the public bodies and to uphold data privacy for individuals.
The ICO is responsible for enforcing relevant data protection regulations, including The Data Protection Act (DPA), the General Data Protection Regulation (GDPR), the Freedom of Information Act, Privacy and Electronic Communications (PECR), and Environmental Information Regulations.
Any organization that processes the personal information within the UK or of UK residents must register with the ICO, as per the Data Protection Act. The ICO then publishes the names and addresses of data collectors. Any organization that processes personal data and fails to register with the ICO is breaking the law.
Following ICO Guidance
The ICO recently introduced additional guidance on how data collectors are to use cookies or data tracking technology and provided an update in directors for complying with the PECR and GDPR.
Anyone who violates the Data Protection Act or is found in breach of the terms of the PECR is subject to a fine of l500,000. The more serious breaches can result in direct action or possible enforcement.
Key Points of ICO Guidance
Implied Consent Is No Longer Enough – Your website’s banner needs to be clear and direct regarding the cookies that will be set. The user must take positive action to consent to any cookie that is deemed non-essential. Any cookie deemed strictly necessary in providing service to the user does not require consent.
These ‘Strictly Necessary’ Exemptions Changed – Companies must now be clear with users about their purpose for storing personal data and within their request for consent. For example, cookies that remember shopping cart items would be considered necessary. Website analytics or third-party advertising cookies would not meet this exemption.
Important Points About ICO Guidance
- The ICO builds public trust that businesses and organizations will use any personal information collected in a fair and responsible manner.
- Organizations need to comply with the ICO guidance if the data is being used for any reason other than personal, family, or household purposes.
- ICO guidance relies on a flexible and risk-based approach, which puts the responsibility on the organization to consider the purpose of data use.
- The ICO is the UK’s data protection agency and offers advice and guidance on how to comply. This is in addition to the role of considering complaints, monitoring compliance, and taking necessary enforcement action when necessary.
Who is Under ICO Jurisdiction?
The ICO doesn’t clearly define who their guidance applies to, but they could be following the same rules as given through the GDPR’s ePrivacy. This means that it would apply to the use of cookies carried out by a controller or processer monitoring the personal data or information of UK residents.
The law applies to any processing of personal data and pertains to most businesses or organizations, no matter their size. Processing of data includes collecting, recording, storing, using, analyzing, combining, disclosing, or deleting it.
If the information is being used for personal, family, or household purposes, then compliance is not required. Some examples include personal social media activity, private letters, emails, or the use of household technology devices.
How to Follow Consent Guidance
- The circumstances and purpose for the processing of personal data need to be established.
- Consent to data tracking needs to be specific, freely given, and unambiguous before the use of any cookies.
- Organizations need to name all parties that will rely on the user’s consent to place cookies and collect personal information.
- Companies must offer a way to easily withdraw consent.
- Evidence of consent must be kept by the company in the form of a consent log.
Personal Data Under the ICO
Personal data is defined in broad scope by the ICO as any data about a living individual. In a business sense, this could include customers, clients, employees, partners, members, supporters, contacts, public officials, or any specific member of the public.
Even information that can be considered widely public could be considered personal data. If you could identify the person from the details, or by combining it with other information, it could still qualify. The ICO guidance excludes paper records unless there is a plan to digitize them or file them in any way. Unfiled papers or notes won’t qualify.
The ICO’s Flexible Approach
Every organization is different and has different requirements. The regulations can be applied to both large and small businesses alike, across varying situations. Because of this flexibility, organizations need to be thoughtful about how they process personal data. There is often more than one way to comply.
The ICO website includes tools and resources to help companies comply with the new guidance regulations.
Using CookieScript to Comply with ICO Guidance
Compliance with data protection laws such as the new ICO guidance can become a complex endeavor for businesses and organizations within the UK. Knowledge of the new laws and where you fit in is critical, but so is having the right toolset to manage the cookies and data tracking on your website.
Third-Party Cookies and data trackers can make their way onto your website without your prior knowledge and pose compliance issues with any data privacy regulation. That’s when it helps to have reliable cookie tracking software that you can trust. It helps to have a full understanding of the situation so that you can take all appropriate action to assure that you are in compliance with all relevant laws.
The CookieScript platform allows businesses and organizations to remain in full compliance with the ICO guidance while maintaining user-friendly options for monitoring cookie and data tracking. It can help with tasks such as website scanning, consent management, consent logs, and more. CookieScript allows users to create customized consent banners that require users to take positive action for individual cookies.
CookieScript can be fully integrated into today’s most popular website building and hosting programs including WordPress, Shopify, Squarespace, Wix, and more. Look at the pricing plans for CookieScript and create your account today to help maintain compliance with ICO guidance!
Frequently Asked Questions
What is the UK’s Information Commissioner’s Office?
The Information Commissioner’s Office (ICO) is responsible for data privacy regulation within the United Kingdom. They work to build the trust of the public through responsible use of personal data while working with organizations to enforce data privacy laws.
Who needs to register with the ICO?
Any organization that processes the personal data of UK residents, or from within the UK will need to register with the ICO, as per the Data Protection Act. The ICO then publishes the names of data collectors.
What’s involved in following ICO guidance?
Businesses need to be transparent in their request to collect certain personal data, and in their purposes for doing so. Organizations will also need to name all parties that will have access to personal data collected, and web users need a way to withdraw consent. Businesses also must use consent logs.
Who falls under ICO jurisdiction?
The ICO is vague on this point but may follow the GDPRs privacy regulations. This would put any data controller or processor handling data regarding UK residents within the ICO’s jurisdiction. The law pertains to businesses of all sizes.
What does the ICO do?
The ICO functions as the main data protection agency serving the residents of the United Kingdom. They offer advice and guidance for organizations on how to comply with their guidance and relevant European data regulation. This is in addition to the role of considering complaints, monitoring compliance, and taking necessary enforcement action when necessary.
How does the ICO define personal data?
The ICO loosely defines personal data as any data about a living individual. It can still be public data that businesses or organizations still collect for their use.