While few people fully understand what a cookie is and what a cookie can do, and many don’t much care, the subject of cookies is very much on the regulator’s radar. The Information Commissioner’s Office (ICO) receives over 100 complaints each month about cookies. Indeed, the ICO has a special page on their website with a ‘Report your cookie concerns‘ tool.
The ICO has said that cookie compliance is an increasing regulatory priority for the ICO. Given that GDPR-level fines can be issued for non-compliance with cookie rules, it is now important to review what cookies you use and your policies in relation to them.
Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the website operator. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.
While we refer to cookies, it is important to bear in mind that PECR applies not only to cookies but also to “similar technologies” that store or access information on the user’s device. This includes technologies like device fingerprinting and scripts, tracking pixels and plugins. Also, the rule on cookies is not limited to traditional websites and web browsers. For example, where mobile apps communicate with websites which set cookies PECR also covers this.
- you provide the user with clear and comprehensive information about the purposes of, or access to, the information in the cookie; and
- the user has given consent.
The most significant change in the ICO guidance in relation to cookies relates to areas where the GDPR has imposed higher standards in relation to what constitutes transparency and consent.
Clear and comprehensive information
The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. This requires that information be “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
The ICO highlights that levels of user understanding will differ and that you need to make a particular effort to explain cookies in a way that all people will understand.
Similarly, to be valid, consent must now be in accordance with the higher standard required by the GDPR. This requires that consent means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The GDPR specifically bans pre-ticked boxes – silence or inactivity does not constitute consent. And the ICO does not consider that browser settings can be relied on to signify consent.
In addition, you must be able to demonstrate that you have valid consent; and your consent mechanism must allow the user to withdraw their consent at any time.
“Strictly necessary” exemption
The cookie rule does not apply to cookies which are “strictly necessary” for the provision of the service requested by the user.
To benefit from this exemption, the cookie must be essential, rather than important or reasonably necessary. For example, a cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket is “strictly necessary” and does not need consent. “Necessary” cookies also include those which enable core functionality such as security, network management, and accessibility. On the other hand, analytics and advertising cookies will not be regarded as “strictly necessary” and require consent.
PECR and the GDPR
The GDPR regulates the processing of personal data, which is broadly defined and can include “online identifiers” such as cookies. Therefore, in some cases cookies will be classed as personal data where an individual is identifiable. In such cases, the GDPR will apply as well as PECR. This is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. However, where a cookie does not involve processing of “personal data” PECR will still apply.
To process personal data, under GDPR you must have a lawful basis. There are six lawful bases, of which consent is one. For GDPR purposes, use of personal data for marketing purposes often relies on “legitimate interests” rather than consent. However, if your cookies require consent under PECR, then where GDPR applies you must also rely on consent as the lawful basis to process personal data and you cannot rely on “legitimate interests”.
PECR applies to the storing of information, or accessing information stored, on the user’s device. It does not apply to any prior or subsequent processing operations involving this information. However, the regulator’s view is that any processing of personal data that follows (or depends on) the setting of cookies is also highly likely to require consent as its lawful basis and cannot rely on “legitimate interests”.
The ICO’s guidance indicates that consent is required, therefore, for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research.
Third party cookies
Where you set third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information.
Both you and the third party have a responsibility for ensuring that users are clearly informed about cookies and for obtaining consent. In practice, it is more difficult for the third party to do this where they do not have any direct contact with the user. Therefore, it is recommended that the third party include a contractual obligation into its agreements with web publishers that the publisher will provide information about the third party cookies and obtain consent.
The ICO acknowledges that the process of getting consent for third-party cookies is more complex and is one of the most challenging areas in which to achieve compliance with PECR. The ICO says that they continue to work with industry and other EU data protection authorities to assist in addressing the difficulties and finding workable solutions.
A key issue is that most people do not understand how their data is being used in the context of Adtech and there is a lack of intelligible information which risks breaching the transparency requirement of PECR and the GDPR, thereby also rendering any consent invalid for being insufficiently informed.
Again, the ICO continues to work with industry on these challenges and we can expect further guidance on this in due course.
Proposed ePrivacy Regulation and Brexit
The proposed new ePrivacy Regulation (ePR), which will replace the ePrivacy Directive on which PECR is based, is still under development. Its aim is to update and modernise PECR in the same way that the GDPR did for data protection. However, the ePR is not yet finalised and, with the 24-month grace period contained in the current draft, it is not expected that the ePR will apply in Europe before the end of 2021. Also, as it is unlikely to be finalised until after Brexit it will not automatically form part of UK law, although the UK may choose to implement a similar regulation.
So, what needs to be done now?
Following the new ICO guidance, you should now do the following:
- Carry out a cookie audit to check what cookies you use, and their purposes; identify which cookies are “necessary” and which are not.
- Review your cookie information (policy) and how it is provided – the obligation to provide information about cookies must be in line with the higher GDPR transparency standard. Typically, fuller and more granular information on cookies must be provided than has been the case to date.
- Review your consent mechanisms:
- the user must take a clear and positive action to give their consent to cookies such as ticking a box or clicking “accept” – you can no longer rely on “implied consent” and continuing to browse the website does not constitute valid consent;
- you cannot use pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
- consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
- Use of a banner, pop-up, message bar, header bar or similar technique may be convenient, but consider implications for the user experience across different platforms to make sure that consent requests are not be unnecessarily disruptive.
- You must ensure that (non-essential) cookies are not actually set until the user has given their consent.
Please contact us for assistance with your cookie review.
Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at email@example.com