Have the Cookies Crumbled?

The GDPR arrived in May 2018.

Then in 2019, the Information Commissioner’s Office (ICO) issued Guidance which stated that cookie banners used on many websites, platforms, and apps (websites) were not fit for purpose. These cookie banners no longer provided a legal basis for placing non-essential cookies and other similar technologies including tracking pixels etc (cookies) on people’s devices. This guidance marked a clear move away from the relaxed manner of supervision the ICO, and other EU regulators, had previously shown this issue.

However, four years later the ICO had still not taken any action in relation to cookie compliance until August 2023 when it published a blog which provided further guidance to website owners/controllers on cookies stating:

“A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.”

In November 2023 the ICO then issued a statement and said that following assessments they had contacted many of the UK’s most visited websites setting out their concerns and allowing a 30-day grace period to comply with the law.

So… action is now being taken. What must you consider to ensure your website is compliant?

What You Must Do

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) sets out the rules about cookies and other tracking tools. The PECRs state that a person shall not store or gain access to information on a user’s computer/device unless:

1. Clear and comprehensive information has been provided to explain how such information will be collected and used; and
2. The user explicitly consents. Cookies allow website and app operators to access information on computers and mobile phones etc and so they require consent. Operators must also explain what the technologies being used, including what information they gather and, in particular, who it is shared with.

Provide Comprehensive Information

Clear and comprehensive information is to be interpreted with reference to the standards set out in Data Protection legislation, even where the cookies do not collect personal data. So you need to explain how you are using the information collected by cookies and you must also explain what other organisations who have set cookies on your website are doing. Ultimately, the website owner is always ultimately responsible for ensuring their users have been duly informed about the cookies being used on their website.

Obtain Consent

Obtaining valid consent under the GDPR became a lot more difficult and it must be in place before cookies are deployed. Consent must be freely given, not implied or assumed or obtained by tricks or nudges. It should be as easy to reject cookies as it is to consent to cookies and this is where many website operators fall down.

Essential cookies do not require consent but please note that they must be absolutely essential for the operation of your website etc, not just convenient.

The Data Protection and Digital Information Bill is proposing to allow website operators to deploy analytics cookies without consent but only where the information is only used by the website operator, and not shared with third parties i.e. first part cookies. It is the use of information from cookies by third parties to build individual profiles of users where the significant risks lie for rights and freedoms. The concerns about the use of profiling and algorithms for behavioural advertising purposes, for commercial and political ends is well recognised.

However the Bill also introduces higher fines for non-compliance with PECRs, increasing the maximum fine from £500,000 to £17.5 million: in line with the UK GDPR.

What Not to Do

The ICO has prioritised ensuring when users access a website it is just as easy to ‘reject all’ cookies, as it is to ‘accept all’ cookies and nothing more complicated than that. it is common to see users being nudged towards ‘accept all’ by making the ‘reject all’ less obvious or involving more clicks.

Legitimate interests can never be used to deploy cookies lawfully. It is common to see some websites purporting to rely on legitimate interests but this we expect that this will also be a focus of the ICO. PECRs clearly states that consent is a legal requirement.

Take Warnings from Europe 

The ICO is yet to take regulatory action for breaches regarding cookie use. However, a number of European data protection bodies have:

• In Jan 2023, France’s regulator CNIL fined TikTok €5 million as they determined the platform was discouraging users from rejecting cookies. The user had to select multiple options to reject but only one to accept.
• In Dec 2022, CNIL fined Microsoft Ireland €60 million for not providing an easy option to refuse cookies on bing.com. CNIL’s investigations found that cookies were being used for advertising purposes without user consent.

It is clear that the ICO have taken a policy decision to now start tackling non-compliance. Such intervention appears to have had some impact, as they have reported that 38 of the 53 organisations they contacted have updated their cookie banners to ensure they are compliant with the 2019 ICO guidance. Moreover, the ICO show no signs of stopping their enforcement measures, stating in their January blog post:

We will not stop with the top 100 websites. We are already preparing to write to the next 100 – and the 100 after that.

We expect that it is only a matter of time before regulatory action is taken by the ICO in relation to website operators – of all sizes – who do not comply with the laws which have been in place for several years now. Our data protection expert team can assist you to ensure your website is compliant. Please contact Laura Irvine or Kirstin Mackay.

Disclaimer 
The matter in this publication is based on our current understanding of the law.  The information provides only an overview of the law in force at the date hereof and has been produced for general information purposes only. Professional advice should always be sought before taking any action in reliance of the information. Accordingly, Davidson Chalmers Stewart LLP does not take any responsibility for losses incurred by any person through acting or failing to act on the basis of anything contained in this publication.