Are Cookies Crumbling?
Yesterday the ICO published new Guidance in relation to Cookies and similar technology which means that the Cookie banners that many websites currently use are no longer adequate and no longer provide a legal basis for placing Cookies and other similar technologies on devices. It also applies to mobile apps which set Cookies. This is a significant change in approach for the ICO who have interpreted the law in this area in a relaxed manner, until now.
The advice is for organisations, including web developers, to start working towards compliance by carrying out a Cookie audit and documenting decisions and steps taken to comply with the new Guidance. Technology will have a part to play and the ICO recognises the challenges that this will present. In its blog of 3 July 2019 it states:
Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear.
So do not panic, but do start to address compliance issues now.
The law in relation to placing Cookies and other similar tracking technologies (pixels, fingerprinting etc which I will refer to collectively as Cookies) is set out in regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 known as PECRs.
These technologies have developed over recent years and can be placed by those operating the website to provide information about how effective their website is, or can be placed by third parties who can then track an individual’s use of that website and other websites. Some technologies can track an individual even if they are using a different device to access the website. Some also track the location of mobile devices. The invasive nature of cookies varies and can be difficult to understand. Sometimes they gather personal data and sometimes they do not, but any technology which can access information on a device must only be used in compliance with regulation 6 of PECRs.
If Cookies are placed on an end user’s device allowing someone to gain access to information stored in the device, then consent is required under regulation 6 of PECRs, unless the Cookies are essential for the provision of the service. Regulation 6 also requires clear and comprehensive information to be provided about the purpose and storage of the information accessed from the end user’s device.
This law was introduced in May 2011 and following its introduction most EU Regulators, including the ICO, accepted that consent could be obtained through Cookie banners and Cookie notices providing basic information, and that continued browsing then represented implied consent. This is no longer the case.
The GDPR introduced an enhanced standard of consent which requires consent to be obtained through an affirmative action. Therefore implied consent is no longer valid consent and all consent must be opt-in.
The ICOs’ Guidance tells us that we must obtain GDPR compliant consent prior to any non-essential Cookies being placed on a device. This can be consent from the subscriber (an employer or the person who pays for internet access) or the user. As stated this must be active, opt in consent.
Currently most Cookie banners do not seek opt in consent and so any Cookies placed on websites using these banners are unlawful.
Some websites have introduced compliant banners and you can see a relatively simple one the first time you visit the ICO website which provides information about the essential cookies that it sets, but asks for consent to set analytics cookies. This will be a great deal more complex where websites use several types of cookies, including performance, functionality and advertising; and where third party cookies from social media plug ins are part of the website.
- Non-essential Cookies should not be set before consent is provided. The default must be to switch Cookies off.
- Consent should not be opt-out, but must be obtained by an affirmative action as per the GDPR requirements.
- You may also need consent to use the information gathered by Cookies, if it is personal data or can be combined with other information you hold to identify an individual and the processing in invasive. Targeted advertising is likely to fall into this category.
- You will also need consent to use pixel technology that tracks interactions with emails that you send.
- Information must be provided about why Cookies are being used
- If you are using technology that allows third parties to place Cookies, you must obtain separate consent and provide information about what use is made of the information by the third parties. This includes social media plug ins.
- Consent should be as easy to withdraw as it is to provide
- Consent may require to be refreshed each time someone visits, but this depends on whether you have updated your website and how frequently they visit your website. Consent to Cookies will not last forever.
There is a new law coming in relation to Cookies called the ePrivacy Regulation which will contain updated rules about setting Cookies and tracking technology on devices. There is no final view on what the Regulation will say and the content has changed over the last two years as the marketing industry and the privacy lobby battle this out.
However for now, Cookies have become an issue that the ICO has decided to address and therefore organisations running websites using Cookies will need to start addressing the compliance issues now.