Time to review cookie compliance

Nigel Miller
Nigel Miller

While few people fully understand what a cookie is and what a cookie can do, and many don’t much care, the subject of cookies is very much on the regulator’s radar. The Information Commissioner’s Office (ICO) receives over 100 complaints each month about cookies. Indeed, the ICO has a special page on their website with a ‘Report your cookie concerns‘ tool.

Since the General Data Protection Regulation (GDPR) came into effect in May 2018, there has been uncertainty about how it applies to cookies. The use of cookies is regulated by the Privacy and Electronic Communications Regulations (PECR) and the GDPR may apply as well. In addition, some of PECR’s key concepts now link to the GDPR – such as the standard of consent.

As a result, the ICO has recently issued new guidance on the use of cookies. This changes the previous understanding of what is required to comply with PECR and makes compliance more onerous. And to make sure they are compliant, the ICO has added a cookie control mechanism to their own website to reflect the new guidance.

The ICO has said that cookie compliance is an increasing regulatory priority for the ICO. Given that GDPR-level fines can be issued for non-compliance with cookie rules, it is now important to review what cookies you use and your policies in relation to them.


Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the website operator. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.

While we refer to cookies, it is important to bear in mind that PECR applies not only to cookies but also to “similar technologies” that store or access information on the user’s device. This includes technologies like device fingerprinting and scripts, tracking pixels and plugins. Also, the rule on cookies is not limited to traditional websites and web browsers. For example, where mobile apps communicate with websites which set cookies PECR also covers this.


PECR applies to the use of cookies and similar technologies for storing information, and accessing information stored, on a user’s equipment such as a computer or mobile device.

PECR provides that you cannot use cookies unless:

  1. you provide the user with clear and comprehensive information about the purposes of, or access to, the information in the cookie; and
  2. the user has given consent.

The most significant change in the ICO guidance in relation to cookies relates to areas where the GDPR has imposed higher standards in relation to what constitutes transparency and consent.

Clear and comprehensive information

The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. This requires that information be “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

The ICO highlights that levels of user understanding will differ and that you need to make a particular effort to explain cookies in a way that all people will understand.


Similarly, to be valid, consent must now be in accordance with the higher standard required by the GDPR. This requires that consent means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The GDPR specifically bans pre-ticked boxes – silence or inactivity does not constitute consent. And the ICO does not consider that browser settings can be relied on to signify consent.

In addition, you must be able to demonstrate that you have valid consent; and your consent mechanism must allow the user to withdraw their consent at any time.

“Strictly necessary” exemption

The cookie rule does not apply to cookies which are “strictly necessary” for the provision of the service requested by the user.

To benefit from this exemption, the cookie must be essential, rather than important or reasonably necessary. For example, a cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket is “strictly necessary” and does not need consent. “Necessary” cookies also include those which enable core functionality such as security, network management, and accessibility. On the other hand, analytics and advertising cookies will not be regarded as “strictly necessary” and require consent.

PECR and the GDPR

The GDPR regulates the processing of personal data, which is broadly defined and can include “online identifiers” such as cookies. Therefore, in some cases cookies will be classed as personal data where an individual is identifiable. In such cases, the GDPR will apply as well as PECR. This is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. However, where a cookie does not involve processing of “personal data” PECR will still apply.

To process personal data, under GDPR you must have a lawful basis. There are six lawful bases, of which consent is one. For GDPR purposes, use of personal data for marketing purposes often relies on “legitimate interests” rather than consent. However, if your cookies require consent under PECR, then where GDPR applies you must also rely on consent as the lawful basis to process personal data and you cannot rely on “legitimate interests”.

PECR applies to the storing of information, or accessing information stored, on the user’s device. It does not apply to any prior or subsequent processing operations involving this information. However, the regulator’s view is that any processing of personal data that follows (or depends on) the setting of cookies is also highly likely to require consent as its lawful basis and cannot rely on “legitimate interests”.

The ICO’s guidance indicates that consent is required, therefore, for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research.

Third party cookies

Where you set third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information.

Both you and the third party have a responsibility for ensuring that users are clearly informed about cookies and for obtaining consent. In practice, it is more difficult for the third party to do this where they do not have any direct contact with the user. Therefore, it is recommended that the third party include a contractual obligation into its agreements with web publishers that the publisher will provide information about the third party cookies and obtain consent.

The ICO acknowledges that the process of getting consent for third-party cookies is more complex and is one of the most challenging areas in which to achieve compliance with PECR. The ICO says that they continue to work with industry and other EU data protection authorities to assist in addressing the difficulties and finding workable solutions.


In a related exercise, the ICO has also recently published a report on Adtech and real time bidding (RTB), and the use of cookies in that context. The ICO indicates that it is not appropriate to rely on “legitimate interests” to deliver targeted ads using cookies and similar tracking technologies. Where consent is required for the cookies, then consent is the appropriate lawful basis under the GDPR.

A key issue is that most people do not understand how their data is being used in the context of Adtech and there is a lack of intelligible information which risks breaching the transparency requirement of PECR and the GDPR, thereby also rendering any consent invalid for being insufficiently informed.

Again, the ICO continues to work with industry on these challenges and we can expect further guidance on this in due course.

Non-EU organisations

While PECR does not apply to organisations operating outside Europe, to the extent that the use of cookies and similar technologies involves the processing of personal data, the GDPR may apply. If you are based outside Europe but you offer goods or services to customers in Europe, then you will need to comply with the GDPR. This means that you will need to comply with the GDPR requirements in respect of the information you provide to users and obtain consent to cookies where personal data is involved.

Proposed ePrivacy Regulation and Brexit

The proposed new ePrivacy Regulation (ePR), which will replace the ePrivacy Directive on which PECR is based, is still under development. Its aim is to update and modernise PECR in the same way that the GDPR did for data protection. However, the ePR is not yet finalised and, with the 24-month grace period contained in the current draft, it is not expected that the ePR will apply in Europe before the end of 2021. Also, as it is unlikely to be finalised until after Brexit it will not automatically form part of UK law, although the UK may choose to implement a similar regulation.

So, what needs to be done now?

Following the new ICO guidance, you should now do the following:

  • Carry out a cookie audit to check what cookies you use, and their purposes; identify which cookies are “necessary” and which are not.
  • Review your cookie information (policy) and how it is provided – the obligation to provide information about cookies must be in line with the higher GDPR transparency standard. Typically, fuller and more granular information on cookies must be provided than has been the case to date.
  • Review your consent mechanisms:
    • the user must take a clear and positive action to give their consent to cookies such as ticking a box or clicking “accept” – you can no longer rely on “implied consent” and continuing to browse the website does not constitute valid consent;
    • you cannot use pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
    • consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
  • Use of a banner, pop-up, message bar, header bar or similar technique may be convenient, but consider implications for the user experience across different platforms to make sure that consent requests are not be unnecessarily disruptive.
  • You must ensure that (non-essential) cookies are not actually set until the user has given their consent.

Please contact us for assistance with your cookie review.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at nmiller@foxwilliams.com



ICO intends to fine British Airways £183.39m

Laura Monro
Laura Monro

The ICO announced yesterday its intention to fine BA £183 million.

This will be the first fine imposed by the ICO since the GDPR came into force – it relates to a cyber security incident during 2018 which led to the names, addresses and payment card details of approximately 500,000 BA passengers being compromised. The ICO says that BA had failed to put in place appropriate measures to keep the personal data secure.

This is not a fine as yet. Before a fine is imposed, the ICO issues a notice of intent to fine a particular amount (in this case, £183m). BA now has the opportunity to make final representations in the hope of getting the amount reduced before it is imposed.

Laura Monro is a senior associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at lmonro@foxwilliams.com 

Ten top tips for DSARs: What do employers need to know when responding to Data Subject Access Requests?

Helen Farr
Helen Farr
Daisy Jones
Daisy Jones

We’re now one year on from the introduction of the General Data Protection Regulation (“GDPR”) and one of the consequences for our clients has been a significant rise in the number of data subject access requests (“DSARs”) made by employees. By making a DSAR, current and former employees can obtain all their “personal data” held by their employer. As personal data is information that relates to an identifiable individual, employers hold significant amounts of personal data about their staff.

DSARs are notoriously time-consuming to manage and, under the GDPR, the time period employers have to respond has been reduced to one month from the longer period of 40 days that applied under the old regime.

Given the increase in number of requests and the shorter period for a response we set out below 10 top tips to help employers if and when they receive a request:

1. Create a protocol so that your business can respond within one month

In today’s electronic world, employees generate significant amounts of material which is likely to contain their personal data and which will need to be collated, reviewed and processed before your business can respond to a DSAR. Doing all of this within the short deadline of one month can be difficult, so having an agreed protocol in place which outlines the steps you will take to respond to a DSAR can help save precious time. A protocol should include an allocation of responsibilities and the steps which must be taken to comply with a request.

Although it is possible in exceptional circumstances to notify the employee, within a month of receiving the DSAR, that you require three months to reply, the circumstances when an extension of time may be justified are rare. The exceptional circumstances apply to complex requests or to repeated requests from the same employee. However, these circumstances will apply rarely. Remember that your employee can challenge your decision to extend time to the ICO (Information Commissioner’s Office).

2. Train your staff

Your staff need to understand the importance of dealing promptly with DSARs. This will include who within your business should be notified once a DSAR is received and, if they are responsible for responding to the request, how it should be managed. Crucially relevant staff need to be trained on these points

3. Try to narrow the scope of the request

Often employees will be interested in very specific material when they submit a DSAR. For example, if they are participating in a grievance or disciplinary process or have recently had their employment terminated, there are likely to be particular documents they want to read. The scope of the request may be clear from the initial request. However, if it isn’t clear consider having a conversation with the person making the request about what they want and whether the request can be narrowed. Doing so should help to ensure you can respond within 30 days and only give the employee the personal data they really want. Of course this isn’t always possible.

4. Consider using a bespoke platform to manage the DSAR

It can be helpful to use bespoke electronic platforms to manage DSARs as these will often have specific functionality to assist with running searches, identifying relevant documents and carrying out redaction. This can be very useful particularly for larger DSARs, which can otherwise be very difficult to manage on an employer’s normal IT platform. Employers should discuss this with their IT provider and make sure that their systems are fit for purpose.

5. Use appropriate search terms and do a sample review before undertaking a full review

Once you know what you are looking for, consider using search terms to generate an initial set of results. This might be the employee’s name (or variations on it) plus key words and date ranges which are likely to generate personal data, taking account of the scope of the request. Once you have created an initial set of results, carry out a sample review to make sure that the results are largely relevant. Depending on the search that you’ve carried out, you might have generated a lot of false positives which could be removed by a further refinement to your search terms before you conduct a full review.

6 .Carry out a full review to ensure that the results contain personal data

Just because an individual’s name is mentioned in a document doesn’t necessarily mean that the document contains personal data. Make sure that you understand the test for personal data and apply it to your search results appropriately. Remember, personal data is information which relates to an identifiable individual.

7. Use the exemptions

When analysing the personal data, review the documents for those that are exempt from disclosure. You may need to take advice on this but the exemptions include references given or received, management forecasting or planning, information about negotiating intentions – perhaps in relation to a settlement agreement, third party information or information that may be subject to legal professional privilege.

8. Allow enough time for redaction

Once you have produced an initial set of results containing the employee’s personal data, you will need to review the material to see if anything needs to be redacted. In particular, you should ensure that any privileged material or personal data of other individuals is redacted before the response is sent to the employee.

9. Allow enough time to send the response

Depending on how the DSAR was submitted and the size of the response, you may need to provide a hard copy and/or electronic response. If you’re going to provide an electronic response, consider whether you will share the response on an electronic platform (and, if so, which one will you use) or whether you will email the response (in which case, ensure you have the right email address and that the attachments are small enough to be sent through any relevant firewalls).

10. Create an audit trail

If an employee is dissatisfied with the response they receive to a DSAR they may complain about it to the Information Commissioner or a court or tribunal. If they do so, it will be important that you can demonstrate the steps you took to respond to the DSAR so as to minimise the risk of sanctions being applied.

How we can help

We regularly advise our clients on how to respond to DSARs and often work through these steps with them. If you’d like more information about the services we provide or if you have any questions arising out of this article, please contact us.


Helen Farr is a partner, and Daisy Jones is a senior associate, in our HR law team.

No-deal Brexit – the effect on data flows

Nigel Miller
Nigel Miller

Following the overwhelming rejection of Theresa May’s Brexit deal on 15 January 2019, the possibility of a no-deal Brexit continues to be a real risk and many businesses are looking at what they need to do to prepare for this.

A key consideration is to ensure that data flows with group companies, partners and vendors can be legally maintained. In this connection, if the UK does exit Europe without a transitional arrangement, what will be the position in relation to data flows to and from the UK?

What does the GDPR say?

The GDPR prohibits transfers of personal data from the European Economic Area (the EU plus Norway, Liechtenstein and Iceland) (“EEA”) to a country outside the EEA (referred to in the GDPR as a “third country”) unless:

  • that third country has been deemed “adequate” by a European Commission adequacy decision (for example, Switzerland has adequacy status); or
  • one of a number of legal safeguards has been put in place beforehand. For most EU businesses transferring personal data to third countries which do not have “adequacy” status, the most convenient legal safeguard used is the standard contractual clauses (or “SCCs”) which is a set out standard data protection clauses prescribed by the EU and entered into between the data transferor (in the EEA) and the data recipient (in the relevant third country).

Will the GDPR still apply?

The GDPR is here to stay post-Brexit regardless of whether there is a deal or no deal. This is because, on the day the UK leaves the EU, most of the EU law (including the GDPR) which applied prior to the UK leaving the EU will be converted into UK law. In addition, the new Data Protection Act 2018 (“DPA 2018”), which supplements the GDPR, will continue to apply in the UK regardless of the outcome.

What about transfers of data from UK to EEA?

When the UK leaves the EU, the UK will be become a “third country”. The UK government has stated that, post-Brexit, UK businesses will continue to be able to send personal data from the UK to the EEA. Having said that, it has also said that the “UK would keep this under review”. Therefore, unless otherwise indicated by the UK government in future, the continued free flow of personal data from UK business to the EEA will continue.

What about transfers of data from EEA to UK?

The position is not the same in respect of data transferred from the EEA to the UK.

While the UK government has indicated its intentions to begin discussions on an adequacy decision for the UK, the European Commission has not yet given a timetable for this and have stated that a decision on adequacy cannot be taken until the UK is a third country. In any event, such decisions typically take many years to conclude. Therefore, for the time being, EU organisations will need to implement one of the appropriate legal safeguards (the SCCs usually being the most convenient option) in order to continue to transfer personal data to businesses in the UK.

What about transfers of data from UK to other territories?

In relation to transfers from the UK to other territories, the EU’s existing decisions on adequacy and SCCs that were in place on Brexit day can continue to be used after Brexit to ensure the free flow of data. Longer term, these adequacy decisions and SCCs will fall under the responsibility of and will be reviewed by the UK ICO rather than the European Data Protection Board.

Other issues to consider

Aside from the issue of international data transfers, there are some other issues to consider upon the UK exiting EU:

  • If you market to EU consumers, or you monitor the behaviour of individuals located in the EU, you will need to comply with both the UK data protection regime and the EU regime after the UK exits the EU, due to the extra-territorial reach of the GDPR. This carries with it the potential for regulatory actions including fines from both EEA authorities and the ICO, in the event of a data breach or infringement of data laws.
  • The GDPR requires a controller or processor not established in the EEA to designate a “representative” within the EEA in certain circumstances where they are processing the personal data of data subjects who are in the EEA. This is not a straightforward matter; the “representative” is a separate role to a data protection officer and may assume some direct compliance responsibility.
  • Likewise, controllers that are based outside the EU but that target UK customers (and are therefore subject to the UK GDPR) will be required to appoint a UK representative.
  • As well as dealing with the UK ICO, you may have to deal with European supervisory authorities in every EEA and EU state where individuals are affected. You may no longer be able to have a “lead authority” and benefit from the One-Stop-Shop. The One-Stop-Shop means you can deal with a single European supervisory authority rather than every supervisory authority in every EEA and EU state where individuals are affected.
  • Privacy notices may need to be updated in relation to international transfers and the appointment of a representative.


We are advising a number of clients on preparations for a no-deal Brexit. Contact us to explore how we can assist you.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com 

GDPR’s territorial reach: how far does it go?

Arjum MajumdarInternational businesses headquartered outside the EU but doing business in the EU need to know if EU data protection laws apply to them in order to avoid compliance problems and the possibility of significant fines.

The starting point is the territorial scope of the EU General Data Protection Regulation (“GDPR”). Virtually all European businesses will fall within the scope of the GDPR. However, the question as to whether the GDPR applies to an organisation outside the EU is not always straightforward.

On 23 November 2018, the European Data Protection Board (“EDPB”) – an independent European body that is composed of representatives of national data protection authorities – published guidelines to help shed some light on the GDPR’s territorial scope.

The guidelines were open for public consultation until 18 January 2019 and so they are not the final version. Therefore, the existing version of the guidelines should be applied in the meantime, albeit with a degree of caution, to provide some insight as to what sort of factors international businesses should be considering when determining the extent to which the GDPR applies to them.

In this article, we discuss the EDPB’s territorial scope guidelines and highlight key points.

Determining the territorial scope of the GDPR

The GDPR applies to the processing of personal data in the context of the activities of an establishment of an organisation in the EU, regardless of whether the processing takes place in the EU or not.

This is the “establishment test”.

However, the GDPR also applies to the processing of personal data of people who are in the EU by an organisation not established in the EU, where the processing activities are related to either:

  • the offering of goods or services (free or charged) to those persons in the EU (we shall refer to this as the “targeting test”); or
  • the monitoring of their behaviour where their behaviour takes place in the EU (and we shall refer to this as the “monitoring test”).

Therefore, in order for the GDPR to apply to your business, either the establishment test, targeting test or monitoring test would need to be satisfied.

The establishment test

The establishment test is essentially split into two sub-tests:

Establishment: The GDPR does not define “establishment”. However the Recitals, together with EU case law, clarify that an establishment implies “real” and “effective” activity – even a minimal one – exercised through “stable arrangements”.

The threshold for “stable arrangement” can be quite low, particularly in the context of online services (although this does not at all mean that mere access to a website in the EU constitutes establishment). In some circumstances, the presence of a single employee or agent in the EU may be sufficient where that agent or employee acts with a sufficient degree of stability.

Context of activities: To satisfy this test, there must be an inextricable link between the activities of the EU establishment and the processing of data carried out by the non-EU counterpart. If there is an inextricable link, then the GDPR will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in the data processing.

Therefore, non-EU organisations should assess each of their data processing activities and determine whether there are any potential links between the processing activity and the activities of any presence of the organisation in the EU.

If the above two tests are satisfied, then the GDPR will apply. This is regardless of whether the processing takes place in the EU or not.  Moreover, the residence or geographical location of the individual (whose data is being processed) is irrelevant.

The targeting test

An organisation with no establishment in the EU may still be caught by the GDPR if it meets the targeting test.

An organisation could be directly subject to the GDPR if it processes the personal data of individuals who are in the EU, where the processing activities are related to the offering of goods or services to those individuals.

The Recitals to the GDPR state that the “mere accessibility” of the business’ website, of an email address or other contact details or the use of a generally-used language in the country in which the business is domiciled would be “insufficient” in and of itself to conclude that the business is offering services to individuals in the EU.

The EDPB guidelines list a number of factors to take into consideration when determining whether goods or services are offered to individuals in the EU. These include the following activities (via the internet or otherwise):

  • the designation (or “singling out”) of the EU or at least one Member State of the EU by name;
  • launching marketing and advertising campaigns directed at an EU country audience;
  • paying a search engine operator for an internet referencing service to facilitate access to its site by people in the EU;
  • the international nature of the activity at issue;
  • the mention of an international clientele composed of clients domiciled in various EU Member States; and
  • the use of different languages or currencies.

Each activity on its own may not amount to a clear indication that the business offers goods or services to individuals in the EU. However, each factor should be taken into account to determine whether the business’ activities constitute the offer of services to individuals in the EU.

The monitoring test

An organisation outside the EU may also be caught by the GDPR if it is monitoring individuals’ behaviour where their behaviour takes place in the EU.

The Recitals state that in order to determine whether a processing activity can be considered to monitor the behaviour of individuals, it should be ascertained whether the individuals are tracked on the internet. Tracking on the internet includes “potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”.

The EDPB guidelines also say that while the Recital exclusively relates to the monitoring of behaviour through the tracking of a person on the internet, it considers that tracking through other types of network or technology should also be taken into account, for example through wearable and other smart devices.

The guidelines suggest that the use of the word “monitoring” implies that the business has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider, on the other hand, that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It is instead necessary to consider the business’ purpose for processing the data and, in particular, the subsequent behavioural analysis or profiling techniques involving that data. The guidelines also set out a non-exhaustive list of the sort of activities which would constitute monitoring which includes behavioural advertising, online tracking through the use of cookies, CCTV, market surveys, geo-localisation activities and other tracking techniques.

Therefore, international businesses should review their website tracking activity and uses of automated analytical tools (such as cookies to track website usage). It is possible that these activities fall within the scope of the GDPR to the extent that the information collected is capable of identifying individuals.

What if the targeting test or monitoring test is satisfied?

The business would be required to designate an EU representative in accordance with the requirements of the GDPR. This person or company would act as the main contact for any questions and concerns regarding data protection in the EU. The appointment of an EU representative does not have the effect of creating an establishment and meeting the establishment test.

Controller or processor

The GDPR draws a distinction between a data controller – which determines the purposes and means of the processing of personal data (that is, the “how” and “why” personal data is processed) – and a data processor which processes personal data on behalf of, or on the instruction of, the data controller.

The EDPB guidelines emphasise the importance of this distinction, particularly when assessing the territorial scope of the GDPR. When determining whether the GDPR applies, the above three tests would need to be undertaken with each legal entity. A processor in the EU is not considered to be an establishment of a data controller based outside the EU. In such a scenario, the processor would be required to comply with its requirements under the GDPR (due to its establishment in the EU) but the controller would not.

The opposite also applies: if a controller is based in the EU and uses a processor outside the EU, the controller will be subject to the GDPR but the processor will not be. However, in this scenario, the controller would be required to ensure that its processor will meet certain requirements (including that there is a written agreement with GDPR-compliant clauses) which effectively means that the processor would be caught by the GDPR, albeit indirectly.


The EDPB draft guidelines do not contain all the answers and, for many businesses, the answer to the question “does the GDPR apply to us?” may still not be straightforward despite the guidelines.  It is possible that the guidelines’ shortcomings will be addressed in the final text. However, there is no guarantee that the final text will be any clearer.

In the meantime, international businesses need to adopt a systematic approach and review all of their data processing activities. In doing so, the above tests will then need to be applied to determine which of those activities might be caught by the GDPR. Where your business consists of a group of multiple entities, the tests should be applied to each entity within the group. Having done this, you can then move forward in determining which divisions of your business, if any, require a GDPR-compliance programme.


Arjun Majumdar is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at amajumdar@foxwilliams.com