Since 2006, 28 January has marked the anniversary of the first international law in the field of data protection – who knew?
A lot has happened since then. Data protection and privacy is now a rapidly expanding area of law of ever-increasing importance. As we head towards the second anniversary since the GDPR came into force, we review current developments and look ahead at what to expect in 2020.
Our special Data Privacy Day newsletter covers the following topics:
Originally intended to coincide with the GDPR, the introduction of the ePrivacy Regulation has been highly contentious and has met with considerable delay. Towards the end of 2019, the latest draft was rejected by the Council of Europe leading to further delays in its adoption.
The new rules would also ban cookie walls (where a website requires users to accept cookies as a condition of being able to access the website’s content).
The proposal will also continue the ban on unsolicited electronic communications by emails, SMS and automated calling machines. However, it is not yet known if this will extend to B2B communications, or simply apply to B2C marketing as at present.
The draft Regulation also introduces more stringent penalties for non-compliance, and bring the sanctions regime and remedies available broadly into line with the GDPR.
It is uncertain what the final form of the Regulation will be. However, given the latest delay, Brexit has now intervened and so the Regulation will not be directly applicable in the UK. Despite that, it is likely that the UK will adopt the new rules as and when introduced. While the UK may be able to make its own decision on this following Brexit, if the UK does not implement the new Regulation that may stand in the way of the adequacy decision the UK needs in order to allow the free flow of data to and from the EEA. Also, the proposed extra-territorial scope of the new Regulation (like the GDPR) means that it will remain directly applicable to UK businesses targeting the EEA. Who said that after Brexit the UK will take back control of its laws?!
Meanwhile, the ICO has also published a draft direct marketing code of practice for consultation. The consultation closes on 4 March 2020 and the ICO expects to finalise it in 2020. The ICO plans to produce additional practical tools such as checklists to go alongside the code.
Some key points include:
The two lawful bases most likely to be applicable to direct marketing are consent and legitimate interests. However, where PECR applies and requires consent, then in practice consent should also be your lawful basis under the GDPR.
It is important to keep personal data accurate and up to date. It should not be kept for longer than is necessary. It is harder to rely on consent as a genuine indication of wishes as time passes.
If you are considering buying or renting direct marketing lists, you must ensure you have completed appropriate due diligence
Profiling and enrichment activities must be done in a way that is fair, lawful and transparent.
If you are using new technologies for marketing and online advertising, it is highly likely that you will be required to conduct a data protection impact assessment (DPIA).
If someone objects you must stop processing for direct marketing purposes. You should add their details to your suppression list so that you can screen any new marketing lists against it.
Once the draft ePrivacy Regulation is finalised and the UK’s position on Brexit is clear, the ICO has indicated that it will update the direct marketing code to take into account of the ePrivacy Regulation.
It is likely that the ICO will start taking enforcement action against organisations which do not follow the rules, and this could lead to fines. As such, businesses which are not yet compliant should take steps to ensure compliance now.
At a high level, the following are the main rules when using cookies on websites:
User consent must be obtained (except in relation to “strictly necessary cookies”)
The ICO confirmed that the standard of consent for using cookies is the same high standard as under the GDPR, even for cookies which do not involve the processing of personal data. This means that implied or inferred consent can no longer be relied on for cookies. For consent, a clear affirmative act is needed; pre-ticked boxes or inactivity does not constitute consent.
Websites which use non-essential cookies without specifically requiring users to consent to these when accessing a site (e.g. by specifying that continued use entails consent) are, therefore, not compliant. This also means that all non-essential cookies should be switched off by default. It also means that such cookies should only be served on the user if and when the user consents.
“Strictly necessary cookies”, which do not require consent, are those which are essential to provide a user with the service they have requested or to comply with applicable law. Analytics cookies and advertising cookies do not fall within this exemption.
Provide clear and transparent information to users concerning the cookies you use
The ICO Guidance emphasises the need to provide users with transparent information about cookies. The information must be in accordance with the higher standards of transparency as required by the GDPR; it must be presented in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
In relation to cookies, this means that online retailers need to review and update their cookies policies to ensure that these are drafted in a sufficiently clear and easily accessible manner for a normal user to be able to understand how the different types of cookies are being used on the website. Failure to provide clear information will breach the transparency requirement, and will also undermine any “consent” if the consent cannot be said to be sufficiently informed.
Highlighting the importance of transparency and consent, in January 2019, the French data protection regulator imposed a fine of €50 million on Google for lack of transparency, inadequate information and lack of valid consent regarding ads personalization on mobile devices. For more information on this, see further https://idatalaw.com/2019/01/25/e50m-fine-for-google-in-france/
The ICO has been investigating the adtech and real time bidding (RTB) industry over the past year. This is a huge industry and, from a compliance viewpoint, it is particularly complex due to the challenges of providing meaningful information and obtaining valid consent from users.
The ICO is concerned that that the creation and sharing of personal data profiles about people, on such a large scale, is disproportionate, intrusive and unfair, particularly when people are often unaware it is happening. The key issues are:
identifying a lawful basis for the processing of personal data in RTB, as the scenarios where legitimate interests could apply are limited, and methods of obtaining consent are often insufficient;
the privacy notices provided to individuals lack clarity and do not give them full visibility of what happens to their data;
in many cases there is a reliance on contractual agreements to protect how bid request data is shared, secured and deleted. This does not seem appropriate given the type of personal data sharing and the number of intermediaries involved.
Industry bodies such as the IAB have been engaged with these issues looking for practicable solutions for some time. As a recent sign of the seriousness this is being taken in some quarters, Google recently proposed changes to its Chrome browser, including phasing out support for third party cookies within the next two years.
However, in a recent blog, the ICO has expressed frustration that many organisations involved in RTB appear to have their heads firmly in the sand.
The ICO has made it clear that those in the adtech chain cannot rely on “legitimate interests” as the lawful basis for the processing of personal data in RTB. Furthermore, they have said that the Data Protection Impact Assessments they have seen have been “generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual”. The ICO has indicated that they anticipate it may be necessary to take formal regulatory action in such cases. We could, therefore, see such actions in 2020.
The most effective way for organisations to avoid the need for regulatory action is to engage with the process for industry reform, and to encourage their supply chain to do the same. The ICO warns that those who have ignored the window of opportunity to engage and transform must prepare for the ICO to utilise its wider powers.
While few people fully understand what a cookie is and what a cookie can do, and many don’t much care, the subject of cookies is very much on the regulator’s radar. The Information Commissioner’s Office (ICO) receives over 100 complaints each month about cookies. Indeed, the ICO has a special page on their website with a ‘Report your cookie concerns‘ tool.
The ICO has said that cookie compliance is an increasing regulatory priority for the ICO. Given that GDPR-level fines can be issued for non-compliance with cookie rules, it is now important to review what cookies you use and your policies in relation to them.
Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the website operator. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.
While we refer to cookies, it is important to bear in mind that PECR applies not only to cookies but also to “similar technologies” that store or access information on the user’s device. This includes technologies like device fingerprinting and scripts, tracking pixels and plugins. Also, the rule on cookies is not limited to traditional websites and web browsers. For example, where mobile apps communicate with websites which set cookies PECR also covers this.
you provide the user with clear and comprehensive information about the purposes of, or access to, the information in the cookie; and
the user has given consent.
The most significant change in the ICO guidance in relation to cookies relates to areas where the GDPR has imposed higher standards in relation to what constitutes transparency and consent.
Clear and comprehensive information
The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. This requires that information be “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
The ICO highlights that levels of user understanding will differ and that you need to make a particular effort to explain cookies in a way that all people will understand.
Similarly, to be valid, consent must now be in accordance with the higher standard required by the GDPR. This requires that consent means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The GDPR specifically bans pre-ticked boxes – silence or inactivity does not constitute consent. And the ICO does not consider that browser settings can be relied on to signify consent.
In addition, you must be able to demonstrate that you have valid consent; and your consent mechanism must allow the user to withdraw their consent at any time.
“Strictly necessary” exemption
The cookie rule does not apply to cookies which are “strictly necessary” for the provision of the service requested by the user.
To benefit from this exemption, the cookie must be essential, rather than important or reasonably necessary. For example, a cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket is “strictly necessary” and does not need consent. “Necessary” cookies also include those which enable core functionality such as security, network management, and accessibility. On the other hand, analytics and advertising cookies will not be regarded as “strictly necessary” and require consent.
PECR and the GDPR
The GDPR regulates the processing of personal data, which is broadly defined and can include “online identifiers” such as cookies. Therefore, in some cases cookies will be classed as personal data where an individual is identifiable. In such cases, the GDPR will apply as well as PECR. This is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. However, where a cookie does not involve processing of “personal data” PECR will still apply.
To process personal data, under GDPR you must have a lawful basis. There are six lawful bases, of which consent is one. For GDPR purposes, use of personal data for marketing purposes often relies on “legitimate interests” rather than consent. However, if your cookies require consent under PECR, then where GDPR applies you must also rely on consent as the lawful basis to process personal data and you cannot rely on “legitimate interests”.
PECR applies to the storing of information, or accessing information stored, on the user’s device. It does not apply to any prior or subsequent processing operations involving this information. However, the regulator’s view is that any processing of personal data that follows (or depends on) the setting of cookies is also highly likely to require consent as its lawful basis and cannot rely on “legitimate interests”.
The ICO’s guidance indicates that consent is required, therefore, for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research.
Third party cookies
Where you set third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information.
Both you and the third party have a responsibility for ensuring that users are clearly informed about cookies and for obtaining consent. In practice, it is more difficult for the third party to do this where they do not have any direct contact with the user. Therefore, it is recommended that the third party include a contractual obligation into its agreements with web publishers that the publisher will provide information about the third party cookies and obtain consent.
The ICO acknowledges that the process of getting consent for third-party cookies is more complex and is one of the most challenging areas in which to achieve compliance with PECR. The ICO says that they continue to work with industry and other EU data protection authorities to assist in addressing the difficulties and finding workable solutions.
A key issue is that most people do not understand how their data is being used in the context of Adtech and there is a lack of intelligible information which risks breaching the transparency requirement of PECR and the GDPR, thereby also rendering any consent invalid for being insufficiently informed.
Again, the ICO continues to work with industry on these challenges and we can expect further guidance on this in due course.
Proposed ePrivacy Regulation and Brexit
The proposed new ePrivacy Regulation (ePR), which will replace the ePrivacy Directive on which PECR is based, is still under development. Its aim is to update and modernise PECR in the same way that the GDPR did for data protection. However, the ePR is not yet finalised and, with the 24-month grace period contained in the current draft, it is not expected that the ePR will apply in Europe before the end of 2021. Also, as it is unlikely to be finalised until after Brexit it will not automatically form part of UK law, although the UK may choose to implement a similar regulation.
So, what needs to be done now?
Following the new ICO guidance, you should now do the following:
Carry out a cookie audit to check what cookies you use, and their purposes; identify which cookies are “necessary” and which are not.
Review your cookie information (policy) and how it is provided – the obligation to provide information about cookies must be in line with the higher GDPR transparency standard. Typically, fuller and more granular information on cookies must be provided than has been the case to date.
Review your consent mechanisms:
the user must take a clear and positive action to give their consent to cookies such as ticking a box or clicking “accept” – you can no longer rely on “implied consent” and continuing to browse the website does not constitute valid consent;
you cannot use pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
Use of a banner, pop-up, message bar, header bar or similar technique may be convenient, but consider implications for the user experience across different platforms to make sure that consent requests are not be unnecessarily disruptive.
You must ensure that (non-essential) cookies are not actually set until the user has given their consent.
Please contact us for assistance with your cookie review.
Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at firstname.lastname@example.org