Time to review cookie compliance

Nigel Miller
Nigel Miller

While few people fully understand what a cookie is and what a cookie can do, and many don’t much care, the subject of cookies is very much on the regulator’s radar. The Information Commissioner’s Office (ICO) receives over 100 complaints each month about cookies. Indeed, the ICO has a special page on their website with a ‘Report your cookie concerns‘ tool.

Since the General Data Protection Regulation (GDPR) came into effect in May 2018, there has been uncertainty about how it applies to cookies. The use of cookies is regulated by the Privacy and Electronic Communications Regulations (PECR) and the GDPR may apply as well. In addition, some of PECR’s key concepts now link to the GDPR – such as the standard of consent.

As a result, the ICO has recently issued new guidance on the use of cookies. This changes the previous understanding of what is required to comply with PECR and makes compliance more onerous. And to make sure they are compliant, the ICO has added a cookie control mechanism to their own website to reflect the new guidance.

The ICO has said that cookie compliance is an increasing regulatory priority for the ICO. Given that GDPR-level fines can be issued for non-compliance with cookie rules, it is now important to review what cookies you use and your policies in relation to them.

Cookies

Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the website operator. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.

While we refer to cookies, it is important to bear in mind that PECR applies not only to cookies but also to “similar technologies” that store or access information on the user’s device. This includes technologies like device fingerprinting and scripts, tracking pixels and plugins. Also, the rule on cookies is not limited to traditional websites and web browsers. For example, where mobile apps communicate with websites which set cookies PECR also covers this.

PECR

PECR applies to the use of cookies and similar technologies for storing information, and accessing information stored, on a user’s equipment such as a computer or mobile device.

PECR provides that you cannot use cookies unless:

  1. you provide the user with clear and comprehensive information about the purposes of, or access to, the information in the cookie; and
  2. the user has given consent.

The most significant change in the ICO guidance in relation to cookies relates to areas where the GDPR has imposed higher standards in relation to what constitutes transparency and consent.

Clear and comprehensive information

The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. This requires that information be “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

The ICO highlights that levels of user understanding will differ and that you need to make a particular effort to explain cookies in a way that all people will understand.

Consent

Similarly, to be valid, consent must now be in accordance with the higher standard required by the GDPR. This requires that consent means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The GDPR specifically bans pre-ticked boxes – silence or inactivity does not constitute consent. And the ICO does not consider that browser settings can be relied on to signify consent.

In addition, you must be able to demonstrate that you have valid consent; and your consent mechanism must allow the user to withdraw their consent at any time.

“Strictly necessary” exemption

The cookie rule does not apply to cookies which are “strictly necessary” for the provision of the service requested by the user.

To benefit from this exemption, the cookie must be essential, rather than important or reasonably necessary. For example, a cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket is “strictly necessary” and does not need consent. “Necessary” cookies also include those which enable core functionality such as security, network management, and accessibility. On the other hand, analytics and advertising cookies will not be regarded as “strictly necessary” and require consent.

PECR and the GDPR

The GDPR regulates the processing of personal data, which is broadly defined and can include “online identifiers” such as cookies. Therefore, in some cases cookies will be classed as personal data where an individual is identifiable. In such cases, the GDPR will apply as well as PECR. This is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. However, where a cookie does not involve processing of “personal data” PECR will still apply.

To process personal data, under GDPR you must have a lawful basis. There are six lawful bases, of which consent is one. For GDPR purposes, use of personal data for marketing purposes often relies on “legitimate interests” rather than consent. However, if your cookies require consent under PECR, then where GDPR applies you must also rely on consent as the lawful basis to process personal data and you cannot rely on “legitimate interests”.

PECR applies to the storing of information, or accessing information stored, on the user’s device. It does not apply to any prior or subsequent processing operations involving this information. However, the regulator’s view is that any processing of personal data that follows (or depends on) the setting of cookies is also highly likely to require consent as its lawful basis and cannot rely on “legitimate interests”.

The ICO’s guidance indicates that consent is required, therefore, for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research.

Third party cookies

Where you set third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information.

Both you and the third party have a responsibility for ensuring that users are clearly informed about cookies and for obtaining consent. In practice, it is more difficult for the third party to do this where they do not have any direct contact with the user. Therefore, it is recommended that the third party include a contractual obligation into its agreements with web publishers that the publisher will provide information about the third party cookies and obtain consent.

The ICO acknowledges that the process of getting consent for third-party cookies is more complex and is one of the most challenging areas in which to achieve compliance with PECR. The ICO says that they continue to work with industry and other EU data protection authorities to assist in addressing the difficulties and finding workable solutions.

Adtech

In a related exercise, the ICO has also recently published a report on Adtech and real time bidding (RTB), and the use of cookies in that context. The ICO indicates that it is not appropriate to rely on “legitimate interests” to deliver targeted ads using cookies and similar tracking technologies. Where consent is required for the cookies, then consent is the appropriate lawful basis under the GDPR.

A key issue is that most people do not understand how their data is being used in the context of Adtech and there is a lack of intelligible information which risks breaching the transparency requirement of PECR and the GDPR, thereby also rendering any consent invalid for being insufficiently informed.

Again, the ICO continues to work with industry on these challenges and we can expect further guidance on this in due course.

Non-EU organisations

While PECR does not apply to organisations operating outside Europe, to the extent that the use of cookies and similar technologies involves the processing of personal data, the GDPR may apply. If you are based outside Europe but you offer goods or services to customers in Europe, then you will need to comply with the GDPR. This means that you will need to comply with the GDPR requirements in respect of the information you provide to users and obtain consent to cookies where personal data is involved.

Proposed ePrivacy Regulation and Brexit

The proposed new ePrivacy Regulation (ePR), which will replace the ePrivacy Directive on which PECR is based, is still under development. Its aim is to update and modernise PECR in the same way that the GDPR did for data protection. However, the ePR is not yet finalised and, with the 24-month grace period contained in the current draft, it is not expected that the ePR will apply in Europe before the end of 2021. Also, as it is unlikely to be finalised until after Brexit it will not automatically form part of UK law, although the UK may choose to implement a similar regulation.

So, what needs to be done now?

Following the new ICO guidance, you should now do the following:

  • Carry out a cookie audit to check what cookies you use, and their purposes; identify which cookies are “necessary” and which are not.
  • Review your cookie information (policy) and how it is provided – the obligation to provide information about cookies must be in line with the higher GDPR transparency standard. Typically, fuller and more granular information on cookies must be provided than has been the case to date.
  • Review your consent mechanisms:
    • the user must take a clear and positive action to give their consent to cookies such as ticking a box or clicking “accept” – you can no longer rely on “implied consent” and continuing to browse the website does not constitute valid consent;
    • you cannot use pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
    • consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
  • Use of a banner, pop-up, message bar, header bar or similar technique may be convenient, but consider implications for the user experience across different platforms to make sure that consent requests are not be unnecessarily disruptive.
  • You must ensure that (non-essential) cookies are not actually set until the user has given their consent.

Please contact us for assistance with your cookie review.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at nmiller@foxwilliams.com

 

Advertisements

€50m fine for Google in France

Nigel Miller
Nigel Miller

On 21 January 2019, the French data protection authority, the CNIL, imposed an eye-watering €50m penalty on Google under the GDPR. Side-stepping the €20m maximum the CNIL issued a turnover related fine, highlighting that the maximum possible fine under the GDPR is €20m or 4% of global annual turnover, whichever is the greater.

The investigation was initiated as a result of complaints made within days of the GDPR coming into effect in May 2018. The complaints were from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”), mandated by 10,000 people to refer the matter to the CNIL.

The case concerns personalised ads on smart phone devices using the Android operating system with a Google account. The regulator found two types of breaches of the GDPR. First, a lack of transparency, and second a lack of valid consent regarding the targeted ads.

Transparency

The requirement for transparency goes to the heart of the GDPR and applies to all processing.

CNIL looked at the information and process a user goes through when setting up the account. They found that the information provided by Google is not easily accessible. Essential information, such as the purposes of the processing, data storage periods and the categories of personal data used for the ads personalization, are disseminated across several documents. Specifically, information is not clear enough so that a user can understand that the legal basis of processing for the ads personalization is consent, and not the legitimate interest of Google.

Meanwhile, the processing operations are “massive and intrusive” because of the number of services offered (e.g. Google search, You tube, Google home, Google maps, Playstore, Google pictures…), and the amount and the nature of the data processed and combined.

Lack of a legal basis

The GDPR also requires a legal basis for processing. “Consent” is one of the possible legal basis and the GDPR significantly raised the bar for obtaining a valid consent.

The CNIL decided that the user’s consent is not validly obtained for two reasons. First, the consent is not sufficiently informed –  a lack of transparency is fatal to obtaining a valid consent.. Second, the collected consent is neither “specific” nor “unambiguous”. The user gives his or her consent for all processing operations together, whereas the GDPR requires that the consent is “specific” only if it is given distinctly for each purpose, i.e. a separate consent for each separate processing operation.

Google has said it will appeal the decision.

The case highlights the imperative of, as well as the difficulties in, obtaining a valid consent especially in the complex and mystifying world of targeted advertising where presentation of transparent intelligible information to a user in order to inform consent is challenging.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at nmiller@foxwilliams.com