16. Juli 2019
Consent is needed for cookies and similar technologies used by organisations based in the EEA (subject to limited exceptions) under the ePrivacy Directive which is implemented in the UK by the Privacy and Electronic Communications Regulations (PECR). PECR also lays down information requirements around cookies.
In addition, where the cookies relate to personal data processing, the GDPR will apply, not only to organisations based in the EEA, but where non-EEA organisations are processing the data of EEA citizens, targeting goods or services to them, or monitoring their behaviour.
The EU is in the process of updating the ePrivacy Directive but the replacement Regulation is stuck in the legislative process. Perhaps the biggest change to the rules on cookies has already taken place; the definition of 'consent' in PECR has changed to match the definition in the GDPR. This means consent, whether under PECR or the GDPR, must be freely given, informed, specific, and an unambiguous indication of the data subject's wishes.
The new definition of consent has raised compliance issues for many businesses, in particular, those which use cookies for interest-based advertising, tracking and marketing.
The ICO has updated its guidance on cookies and similar technologies, and published a 'myth busting' blog. The guidance does not look ahead to the ePrivacy Regulation.
The guidance stresses the importance of consent, both under PECR and the GDPR in terms of the appropriate lawful basis to use for cookies which involve processing personal data. Many websites will find that they do not comply in light of this guidance and should note the ICO's focus on privacy-intrusive cookies for enforcement purposes.
While the guidance highlights a number of issues with current market practice, it does not always come up with practical compliance suggestions and to some extent leaves questions unanswered. It is, however, essential to carry out an audit in light of this guidance and to make any necessary changes. The ICO's message is: "start working towards compliance now – undertake a cookie audit, document your decisions and you will have nothing to fear".
Please contact us for specific advice, and listen to our recent webinar on adtech and cookies, which is available here.
From the blog, we learn (or are reminded) about the headlines of the guidance:
What do you need to do if you use cookies? Tell users and subscribers what cookies will be set, what they will do, and obtain consent to store cookies on devices (unless they fall within the strictly necessary or communication exemptions).
Clear and comprehensive information – should be provided in accordance with data protection law ie GDPR transparency requirements and right to be informed. Essentially you need to provide the same kind of information to users about cookies as you would when processing their personal data. This has to cover the cookies you intend to use and what you want to use them for. These requirements also apply to third party cookies.
Users must also be made aware of the cookies being placed on their devices and this information as well as the ability for users to refuse cookies must be given in a user friendly manner (as user friendly as possible).
The guidance is not particularly helpful about how to present information, saying long tables or detailed lists of all the cookies on the site "may be the type of information your users will want to consider". It "may also be helpful" to provide a broader explanation, for example, a description of the types of things you use analytics cookies for. "This may be more likely to satisfy the requirements" than simply listing all the cookies used with basic references to their function.
This inconclusive advice highlights the tension between explaining everything to the user (which could involve lists of hundreds of cookies) in order to satisfy the transparency and consent requirements, and presenting information in a manner which will engage the user.
Consent – required for all non-essential cookies (unless the communication exemption applies) whether or not they will process personal data. This is GDPR level consent so it must be freely given, specific, informed, and an unambiguous expression of the data subject's wises. For cookies it means that:
Strictly necessary – this also includes what is required to comply with any other legislation that applies eg security requirements of data protection law. It is good practice to continue to provide clear information about strictly necessary cookies and if personal data is involved, you will also need to comply with the GDPR.
Strictly necessary cookies include shopping basket cookies, cookies required to comply with the GDPR security principle, and cookies to help a page load quickly. It does not include analytics cookies, first and third party advertising cookies, or cookies used to recognise a user when they return to a website.
If a cookie is strictly necessary, you can only use it for the purpose for which it is strictly necessary.
PECR takes precedence over the GDPR so you need to look first at PECR, then at the GDPR (and Member State data protection rules). Where the setting of a cookie involves the processing of personal data, you will need to comply with the additional requirements of the GDPR.
PECR applies whether or not storage of or access to information on user devices involves processing personal data.
Online identifiers can also include things like MAC addresses, advertising IDs, pixel tags, account handles, and device fingerprints. When assessing whether an individual is identifiable, remember that the question includes whether or not information can be combined to identify the individual.
Even where cookie rules do not apply, you may need to comply with the GDPR.
Cookie consent and lawful basis – if you need consent under cookie rules, then consent must be your lawful basis to set them where they involve personal data. Where PECR and the GDPR apply, you can only rely on another lawful basis to set the cookie if the cookie meets one of the PECR exemptions (strictly necessary or communications exemption).
It may be possible to rely on another lawful basis where personal data is involved for subsequent processing beyond the setting of the cookie "however, you will need to consider the specifics very carefully, particularly if the envisaged processing includes sharing data with third parties". Regulators including the ICO have previously stated that "in certain cases, the processing of personal data that follows or depends on the setting of cookies is highly likely to require consent as its lawful basis." This is not only because the personal data originates by the use of the cookies but because of the nature, scope, context and purposes of the processing operations themselves.
Analysing or predicting preferences or behaviour – In accordance with WP29 guidance on purpose limitation (published in 2013) opt-in consent will almost always be required for analysing or predicting the personal preferences, behaviour and attitudes of individual users with this informing measures or decisions taken about them.
The same guidance says that consent should be required for certain purposes including: tracking and profiling for direct marketing, behavioural advertising, data-brokering, location-based advertising or tracking-based digital market research. "This means that in most circumstances, legitimate interests is not considered to be an appropriate lawful basis for the processing of personal data in connection with profiling and targeted advertising", says the cookie guidance.
The ICO cannot exclude formal action in any area but it is unlikely that priority will be given to use of cookies where there is a low level of intrusiveness and low risk of harm to individuals. The ICO will consider whether controllers can demonstrate they have done everything possible to clearly inform users about the cookies in question and provided them with clear details of how to make choices. The ICO is unlikely to prioritise first party cookies used for analytics purposes where there is a low privacy risk, or cookies which support accessibility of sites and services.
von Debbie Heywood
Can employers monitor their workers, how and to what extent?
von Debbie Heywood