Time to review cookie compliance

Nigel Miller
Nigel Miller

While few people fully understand what a cookie is and what a cookie can do, and many don’t much care, the subject of cookies is very much on the regulator’s radar. The Information Commissioner’s Office (ICO) receives over 100 complaints each month about cookies. Indeed, the ICO has a special page on their website with a ‘Report your cookie concerns‘ tool.

Since the General Data Protection Regulation (GDPR) came into effect in May 2018, there has been uncertainty about how it applies to cookies. The use of cookies is regulated by the Privacy and Electronic Communications Regulations (PECR) and the GDPR may apply as well. In addition, some of PECR’s key concepts now link to the GDPR – such as the standard of consent.

As a result, the ICO has recently issued new guidance on the use of cookies. This changes the previous understanding of what is required to comply with PECR and makes compliance more onerous. And to make sure they are compliant, the ICO has added a cookie control mechanism to their own website to reflect the new guidance.

The ICO has said that cookie compliance is an increasing regulatory priority for the ICO. Given that GDPR-level fines can be issued for non-compliance with cookie rules, it is now important to review what cookies you use and your policies in relation to them.

Cookies

Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the website operator. Without cookies, or some other similar method, websites would have no way to ‘remember’ anything about visitors, such as how many items are in a shopping basket or whether they are logged in.

While we refer to cookies, it is important to bear in mind that PECR applies not only to cookies but also to “similar technologies” that store or access information on the user’s device. This includes technologies like device fingerprinting and scripts, tracking pixels and plugins. Also, the rule on cookies is not limited to traditional websites and web browsers. For example, where mobile apps communicate with websites which set cookies PECR also covers this.

PECR

PECR applies to the use of cookies and similar technologies for storing information, and accessing information stored, on a user’s equipment such as a computer or mobile device.

PECR provides that you cannot use cookies unless:

  1. you provide the user with clear and comprehensive information about the purposes of, or access to, the information in the cookie; and
  2. the user has given consent.

The most significant change in the ICO guidance in relation to cookies relates to areas where the GDPR has imposed higher standards in relation to what constitutes transparency and consent.

Clear and comprehensive information

The information to be provided must be in accordance with the higher standards of transparency as required by the GDPR. This requires that information be “concise, transparent, intelligible and easily accessible form, using clear and plain language”.

The ICO highlights that levels of user understanding will differ and that you need to make a particular effort to explain cookies in a way that all people will understand.

Consent

Similarly, to be valid, consent must now be in accordance with the higher standard required by the GDPR. This requires that consent means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The GDPR specifically bans pre-ticked boxes – silence or inactivity does not constitute consent. And the ICO does not consider that browser settings can be relied on to signify consent.

In addition, you must be able to demonstrate that you have valid consent; and your consent mechanism must allow the user to withdraw their consent at any time.

“Strictly necessary” exemption

The cookie rule does not apply to cookies which are “strictly necessary” for the provision of the service requested by the user.

To benefit from this exemption, the cookie must be essential, rather than important or reasonably necessary. For example, a cookie used to remember the goods a user wishes to buy when they go to the checkout or add goods to their shopping basket is “strictly necessary” and does not need consent. “Necessary” cookies also include those which enable core functionality such as security, network management, and accessibility. On the other hand, analytics and advertising cookies will not be regarded as “strictly necessary” and require consent.

PECR and the GDPR

The GDPR regulates the processing of personal data, which is broadly defined and can include “online identifiers” such as cookies. Therefore, in some cases cookies will be classed as personal data where an individual is identifiable. In such cases, the GDPR will apply as well as PECR. This is likely to be the case where identifiers are used or combined to create profiles of individuals, even when those individuals are unnamed. However, where a cookie does not involve processing of “personal data” PECR will still apply.

To process personal data, under GDPR you must have a lawful basis. There are six lawful bases, of which consent is one. For GDPR purposes, use of personal data for marketing purposes often relies on “legitimate interests” rather than consent. However, if your cookies require consent under PECR, then where GDPR applies you must also rely on consent as the lawful basis to process personal data and you cannot rely on “legitimate interests”.

PECR applies to the storing of information, or accessing information stored, on the user’s device. It does not apply to any prior or subsequent processing operations involving this information. However, the regulator’s view is that any processing of personal data that follows (or depends on) the setting of cookies is also highly likely to require consent as its lawful basis and cannot rely on “legitimate interests”.

The ICO’s guidance indicates that consent is required, therefore, for tracking and profiling for purposes of direct marketing, behavioural advertisement, location-based advertising or tracking-based digital market research.

Third party cookies

Where you set third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information.

Both you and the third party have a responsibility for ensuring that users are clearly informed about cookies and for obtaining consent. In practice, it is more difficult for the third party to do this where they do not have any direct contact with the user. Therefore, it is recommended that the third party include a contractual obligation into its agreements with web publishers that the publisher will provide information about the third party cookies and obtain consent.

The ICO acknowledges that the process of getting consent for third-party cookies is more complex and is one of the most challenging areas in which to achieve compliance with PECR. The ICO says that they continue to work with industry and other EU data protection authorities to assist in addressing the difficulties and finding workable solutions.

Adtech

In a related exercise, the ICO has also recently published a report on Adtech and real time bidding (RTB), and the use of cookies in that context. The ICO indicates that it is not appropriate to rely on “legitimate interests” to deliver targeted ads using cookies and similar tracking technologies. Where consent is required for the cookies, then consent is the appropriate lawful basis under the GDPR.

A key issue is that most people do not understand how their data is being used in the context of Adtech and there is a lack of intelligible information which risks breaching the transparency requirement of PECR and the GDPR, thereby also rendering any consent invalid for being insufficiently informed.

Again, the ICO continues to work with industry on these challenges and we can expect further guidance on this in due course.

Non-EU organisations

While PECR does not apply to organisations operating outside Europe, to the extent that the use of cookies and similar technologies involves the processing of personal data, the GDPR may apply. If you are based outside Europe but you offer goods or services to customers in Europe, then you will need to comply with the GDPR. This means that you will need to comply with the GDPR requirements in respect of the information you provide to users and obtain consent to cookies where personal data is involved.

Proposed ePrivacy Regulation and Brexit

The proposed new ePrivacy Regulation (ePR), which will replace the ePrivacy Directive on which PECR is based, is still under development. Its aim is to update and modernise PECR in the same way that the GDPR did for data protection. However, the ePR is not yet finalised and, with the 24-month grace period contained in the current draft, it is not expected that the ePR will apply in Europe before the end of 2021. Also, as it is unlikely to be finalised until after Brexit it will not automatically form part of UK law, although the UK may choose to implement a similar regulation.

So, what needs to be done now?

Following the new ICO guidance, you should now do the following:

  • Carry out a cookie audit to check what cookies you use, and their purposes; identify which cookies are “necessary” and which are not.
  • Review your cookie information (policy) and how it is provided – the obligation to provide information about cookies must be in line with the higher GDPR transparency standard. Typically, fuller and more granular information on cookies must be provided than has been the case to date.
  • Review your consent mechanisms:
    • the user must take a clear and positive action to give their consent to cookies such as ticking a box or clicking “accept” – you can no longer rely on “implied consent” and continuing to browse the website does not constitute valid consent;
    • you cannot use pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
    • consent must be separate from other matters and cannot be bundled into terms and conditions or privacy notices.
  • Use of a banner, pop-up, message bar, header bar or similar technique may be convenient, but consider implications for the user experience across different platforms to make sure that consent requests are not be unnecessarily disruptive.
  • You must ensure that (non-essential) cookies are not actually set until the user has given their consent.

Please contact us for assistance with your cookie review.

Nigel Miller is a partner in the commerce & technology team at City law firm Fox Williams LLP and is a Certified Information Privacy Professional (CIPP/E). Nigel can be contacted at nmiller@foxwilliams.com

 

The use of location data by mobile apps post-GDPR

This article was first published on Lexis®PSL TMT on 24 September 2018.

From the perspective of a party providing an app via an app store, what regulations govern the use of location data by that mobile app?

The key consideration is data privacy and, therefore, the main regulation to consider is the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. This will apply to the app provider if they carry out processing of personal data on the device.

While there is as yet no specific guidance under the GDPR on the use of location data by Apps, in 2011 the Article 29 Data Protection Working Party (now the European Data Protection Board (EDPB)) adopted Opinion 13/2011 on “Geolocation services on smart mobile devices” and in 2013 Opinion 2/2013 on “Apps on smart devices”. Although these opinions relate to the Data Protection Directive (95/46/EC), much of the content of the Opinions is still relevant under the GDPR.

In the UK, you should also take into account the Data Protection Act 2018 which supplements the GDPR in certain areas (such as in relation to special categories of personal data and data subject rights) although not specifically in relation to location data.

To what extent / in what circumstances will the Privacy and Electronic Communications Regulations 2003 regulate the use of location data by mobile app providers? What exemptions apply and does PECR 2003 apply to ‘information society services’?

Under regulation 6 of PECR (as amended by the 2011 Regulations), it is unlawful to gain access to information stored in the terminal equipment of a subscriber or user unless the subscriber or user (a) is provided with clear and comprehensive information about the purposes of the access to that information; and (b) has given his or her consent. This applies irrespective of whether or not the location data is “personal data”.

Regulation 14 relates specifically to the processing of location data and provides that you can only process location data if you are a public communications provider, a provider of a “value-added service”, or a person acting on the authority of such a provider, and only if: (a) the data is anonymous; or (b) you have the user’s consent to use it for a value-added service, and the processing is necessary for that purpose. This does not apply to data collected independently of the network or service provider such as GPS-based location data or data collected by a local wifi network. However, the use of such data will still need to comply with the GDPR.

To what extent / in what circumstances will the GDPR regulate the use of location data collected from mobile apps by mobile app providers?

The GDPR will apply if the app provider collects the location data from the device and if it can be used to identify a person.

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc are not known.

Opinion 13/2011 sets out the regulator’s view that a device is usually intimately linked to a specific individual and that location data will, therefore, be regarded as “personal data”. Indeed, the definition of “personal data” in the GDPR, specifically includes location data as one of the elements by reference to which a person can be identified.  The Opinion comments that the providers of geolocation based services gain “an intimate overview of habits and patterns of the owner of such a device and build extensive profiles.”

Furthermore, in certain contexts, location data could be linked to special category personal data (sensitive personal data). For example, location data may reveal visits to hospitals or places of worship or presence at political demonstrations.

How is compliance with such laws commonly addressed by app providers?

To process the data derived from the device or the app, the app provider needs to have a legal basis.

Contract necessity may apply to some uses of the location data. For other uses, depending on the app, it may be problematic to rely on “legitimate interests” as a lawful basis for tracking individuals using location data, for example, to serve location specific ads. Therefore, in many cases the app provider will need to rely on the user’s “consent” for processing location data.

How should app providers respond to recent changes in the law (e.g., the introduction of GDPR) impacting their apps’ use of location data?

Where app providers rely on “consent” as the legal basis, they will need to ensure that this meets the stricter requirements for consent under GDPR. This can be challenging given the constraints of the mobile app environment.

Transparency is essential. The Article 29 Guidelines on transparency WP260 rev.01 indicate that, for apps, the Article 13 privacy information should be made available from the app store before download. Once the app is installed, the privacy information needs to be easily accessible from within the app. The recommendation is that it should never be more than “two taps away” (e.g. by including a “Privacy” option in the app menu). Use of layered notices and contextual real time notifications will be particularly helpful on a mobile device.

The device’s operating system (such as IOS) may require the user’s permission to use the location data, for example via a dialogue box asking if the user agrees to allow the app to access the user’s location, either while using the app or in the background. Clicking on the “allow” button enables location service on the device and may also help signify consent provided that this has been sufficiently informed and is sufficiently granular.

If the app integrates with a third-party provider to enable, for example, location-based advertising the consent to use location data must be sufficiently explicit to include consent to data collection for advertising purposes by the third party, including the identity of the third party. Data sharing arrangements may also be required between the app provider and the third party.

Where children (in UK, under 13) may be involved, the consent must be given or authorised by the holder of parental responsibility over the child.

Following GDPR, app providers should review their data security and retention policies for compliance with the Article 5 principles.

App providers should be mindful of the principles of privacy by design and by default, and so for example location services should, by default, be switched off and its use should be customizable by the user.

Finally, using location data may involve “profiling” within the meaning of Article 4(4) which specifically refers to analysing location data. As such, consideration should be given to whether a data protection impact assessment (DPIA) is required under Article 35 or, if not required, should be undertaken as good practice.

Are there any forthcoming or anticipated changes to the law which may impact on use of location data by mobile app providers?

The ePrivacy Directive on which PECR is based is currently under review to be updated and aligned with GDPR in the form of the ePrivacy Regulation.

This is not yet finalised and its implementation date is not certain but may be in 2019 or 2020. However, GDPR-grade consent will still be required for use of location data subject to certain exceptions including where strictly necessary for providing an information society service specifically requested by the individual. Assuming the ePrivacy Regulation takes effect after Brexit, it remains to be seen if / how it will be implemented in the UK but this can be expected in the interests of UK “adequacy” status.

 

Nigel Miller leads Fox Williams’ technology and data protection group. Nigel is a Certified Information Privacy Professional/Europe (CIPP/E).

The consent trap

Nigel Miller

Having got passed 25 May 2018, the day the GDPR came into effect, the torrent of GDPR emails is beginning to abate.

It would be interesting to analyse how many GDPR emails were sent in the run up to the go live date seeking consent to continue being in contact, as against the percentage of recipients who then responded to opt-in. And how many trumpeted a new privacy policy, as against the percentage of recipients who actually read the new policy. I suspect the percentages in each case will be low! Indeed, many people have expressed satisfaction that, by doing nothing and not confirming consent when requested, they can reduce the flow of unwanted spam into their inbox.

But were all these emails necessary, and in particular, was it actually necessary to seek consent?

In many cases it was not necessary to seek consent to “stay in touch” and continue email marketing.

Under GDPR consent is one of the legal basis for processing, but is not the only one. In most cases, organisations will be able to rely on the “legitimate interests” ground to remain in contact with their contact list. Recital 47 GDPR expressly says that processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Subject to confirming this in a “legitimate interests assessment”, many businesses can rely on the concept of ‘legitimate interest’ to justify processing client personal data on their mailing lists without the need to re-affirm the consent. GDPR expressly acknowledges that businesses may have a legitimate interest in direct marketing activities, which could include circulating invitations to events, new products and services, or updates etc. This is an appropriate basis for data processing where you use data in ways that people would reasonably expect and has a minimal privacy impact especially as a recipient should always be able to easily opt-out of future marketing.

While permission based marketing is certainly to be preferred, unless it is required, there is no need to seek specific GDPR-grade consent which may predictably result in the contact database being decimated as a result of recipient inertia and GDPR fatigue.

That all said, there is a key exception where consent to email marketing may be required.  This requirement is not to be found in the GDPR; instead it is in the Privacy and Electronic Communications Regulations (“PECR”). These have been around since 2003 and are currently being upgraded to GDPR level with a new ePrivacy Regulation, although this did not make it into law at the same time as GDPR as was the plan; it is likely to come on stream within the next year or so.

PECR contains supplemental rules on consent for electronic marketing (i.e. marketing by email, phone, SMS or fax). Whilst you may not need consent under the GDPR, you may need consent under PECR.

Different rules apply depending on whether the marketing is sent to an ‘individual’ or ‘corporate’ subscriber’.

Marketing to a corporate email address does not need consent. However, if you are sending unsolicited marketing emails to individual subscribers (a personal email address), then you will need the individual’s consent, unless the so called “soft opt-in” applies (e.g. where the individual is an existing customer).

In summary, assuming you can justify “legitimate interests” for the continued contact, consent is not needed to continue marketing by post, or by email to existing customers or to contacts at corporate email addresses. Consent will only be needed to send direct marketing by email to personal email addresses of individuals who are not customers for similar products and services.

Ironically, in an effort to be compliant, the email requesting consent to future marketing may itself be unlawful if consent was not already in place, and the ICO has fined organisations for engaging in this (e.g. Honda and Flybe). So, sending emails seeking consent may be either unnecessary or unlawful.

New ePrivacy Regulation – implications for Ad-tech

Josey Bright
Josey Bright

On 10 January this year, the European Commission published a proposal for a new ePrivacy Regulation (the “ePrivacy Regulation”) to update and replace the current ePrivacy Directive (the “Directive”).

The ePrivacy Regulation, which is part of the Commission’s Digital Single Market Strategy, is designed to closely align with the provisions of the General Data Protection ePrivacy Regulation (GDPR) which was adopted in May 2016. The Commission intends that the ePrivacy Regulation will come into force on the same date as the GDPR, the 25 May 2018. However, as it is still yet to be finalised and approved this timetable may be overly ambitious.  It is currently reported that the aim is to finalise the ePrivacy Regulation by end 2018.

As it is a ePrivacy Regulation, just like the GDPR, it will be directly applicable in all EU Member States without the need for implementing national laws.

The main aim of the ePrivacy Regulation is to increase privacy protection for users of electronic communications.

The key features of the proposed ePrivacy Regulation are:

  1. Broader scope

 The new ePrivacy Regulation will apply to any company processing data in connection with communication services including all providers of electronic communications services.

This includes “over-the-top” service providers such as text message, email and messaging app providers so services such as WhatsApp, Facebook Messenger and Skype will be within scope of the ePrivacy Regulation.

Like the GDPR, the ePrivacy Regulation will have an extended reach in that non-EU providers providing electronic services to users in the EU will also be within scope of the ePrivacy Regulation.

  1. Content and metadata included

 All electronic communications data are cover by the ePrivacy Regulation. However, the ePrivacy Regulation distinguishes between content data (what is actually said in the communication) and metadata (data related to the communication such as time, location and duration of a call or website visit). Separate rules apply in respect of each type of data:

  • Content can only be used if the end user has consented to its use for a specified purpose and the processing is necessary for the provision of the service.
  •  Metadata can only be use where it is necessary for the quality of the service such as billing, payments, detecting and/or stopping fraudulent or abusive use of the service.

In circumstances where all end users have consented to the use of content or metadata for a purpose which cannot be fulfilled if the information is anonymised, the data may be used provided that the service provider has consulted the competent EU Data Protection Authority (in the UK, the Information Commissioner’s Office (ICO)) before the processing is carried out.

The threshold for consent under the ePrivacy Regulation is defined by reference to the GDPR. This means consent must be “freely given, specific, informed and unambiguous” given by “a statement or by a clear affirmative action”. Like the GDPR, end users must also be given the right to withdraw their consent at any time.

  1. Storage and erasure of data required

The ePrivacy Regulation includes provisions requiring service providers to erase or anonymise all content after it is received by the end user.

All metadata must also be erased or anonymised once the permitted purpose has been fulfilled, except where such data is required for billing purposes.

  1. Cookie consent options

Like the Directive, the ePrivacy Regulation also provides that the consent of the end user is required for the use of cookies and similar technology. However, the current proposal is that consent can be built into the browser software set-up so that users can tailor their cookie consent choices at the point of installation, rather than by using cookie banners and pop ups.

In addition, analytics cookies which are non-privacy intrusive will not require consent (i.e. those which measure web audience measuring, remember shopping cart details or login information for the same session).

  1. Direct marketing rules

The ePrivacy Regulation distinguishes between business to consumer communications (B2C) and business to business communications (B2B).

Like the Directive, unsolicited commercial communications are not permitted. In B2C marketing prior consent (opt-in) is required. Consent will not be required where marketing similar products or services but a right to object must be provided.

For B2B marketing, the ePrivacy Regulation allows for Member States to determine that the legitimate interests of corporate end users are sufficiently protected from unsolicited communication.

  1. Enforcement and higher fines in line with GDPR

The Information Commission’s Office (ICO) will be responsible for enforcement of the ePrivacy Regulation and the GDPR in the UK.

Currently, ICO can only fine companies up to £500,000 for breaches of the PECR (the national legislation which implements the Directive).  The ePrivacy Regulation introduces fine which are in line with the GDPR (i.e. up to 20,000,000 EUR or 4% of total worldwide annual turnover, whichever is higher).

In addition, the ePrivacy Regulation confers users electronic communications services  with a right to seek compensation directly from services providers if they have “suffered material or non-material damage as a result of an infringement”.

Implications

The ePrivacy Regulation is critically important for many ad-tech businesses where the need to get specific opt in consent could be highly problematic for intermediaries who do not have a direct relationship with the end users and where soliciting that consent via publishers while legally possible may be impracticable.

All this is not helped by the fact that there is uncertainty around the final form of the ePrivacy Regulation; for example, as to whether valid consent can be managed within the browser.

As if compliance with GDPR did not present enough challenges, the ad-tech industry, as well as individual businesses, need to move quickly to prepare for these forthcoming changes in ePrivacy.

 

Josey Bright is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jbright@foxwilliams.com

Data, duties and directors

Jessica Calvert
Jessica Calvert

The ICO blog recently reported that of the £2.7 million worth of fines issued in relation to nuisance calls since April 2015, only 6 of the 27 fines issued have been paid, leaving a total of £2.26 million penalties unpaid. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“Privacy Regulations”) contain powers for the ICO to fine companies which make marketing calls and texts, where the recipients have not consented to be contacted.

Recent fines that have been issued include:

  • a £70,000 fine to London based Nouveau Finance Limited, a company that sent 2.2 million spam text messages without consent from the recipients;
  • a £30,000 to Assist Law, a will writing firm in Weston-Super-Mare for making unsolicited marketing calls to persons registered with the Telephone Preference Service (TPS) for over a year.

Many of the companies fined however have so far avoided paying the fines by filing for insolvency. As the regulator put it “leaving by the back door as the regulator comes through the front door”.

At present the ICO can issue fines of up to £500,000 where there has been a serious contravention. These can be imposed on any legal person (e.g. a business or charity, or an individual), however there is no specific right to fine the directors responsible for such companies. A change to legislation is expected in Spring 2017 which will introduce fines of up to £500,000 for directors of nuisance marketing firms, and hopefully break the cycle whereby the same directors continue to operate under a new company.

The change in law should also be noted by all directors that fall within the remit of the Data Protection Act 1998 (“DPA”), if not the Privacy Regulations, as there is a clear move being made to seek to penalise those accountable for breaches relating to personal data. Points worth noting are:

  • The ICO have the power to fine directors for breaches of the Data Protection Act where breach can be shown to have occurred with a director’s consent, connivance or neglect;
  • Under the GDPR fines of value up to 4% of annual worldwide turnover, or 20 million euros, whichever is greater, will be possible;
  • When the GDPR is enacted data processors as well as data controllers will also be caught; and
  • Breach of general director duties to act in good faith, in the best interests of the company, and to exercise reasonable care, skill and diligence could result in an action for damages, termination of a directorship, or disqualification as a director.

Jessica Calvert is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at jcalvert@foxwilliams.com