Date: 03/07/2019 | Business & Professional Services, Data Protection & Information Law
The advice is for organisations, including web developers, to start working towards compliance by carrying out a Cookie audit and documenting decisions and steps taken to comply with the new Guidance. Technology will have a part to play and the ICO recognises the challenges that this will present. In its blog of 3 July 2019 it states:
Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based. Start working towards compliance now - undertake a cookie audit, document your decisions, and you will have nothing to fear.
So do not panic, but do start to address compliance issues now.
The law in relation to placing Cookies and other similar tracking technologies (pixels, fingerprinting etc which I will refer to collectively as Cookies) is set out in regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 known as PECRs.
These technologies have developed over recent years and can be placed by those operating the website to provide information about how effective their website is, or can be placed by third parties who can then track an individual’s use of that website and other websites. Some technologies can track an individual even if they are using a different device to access the website. Some also track the location of mobile devices. The invasive nature of cookies varies and can be difficult to understand. Sometimes they gather personal data and sometimes they do not, but any technology which can access information on a device must only be used in compliance with regulation 6 of PECRs.
If Cookies are placed on an end user’s device allowing someone to gain access to information stored in the device, then consent is required under regulation 6 of PECRs, unless the Cookies are essential for the provision of the service. Regulation 6 also requires clear and comprehensive information to be provided about the purpose and storage of the information accessed from the end user’s device.
This law was introduced in May 2011 and following its introduction most EU Regulators, including the ICO, accepted that consent could be obtained through Cookie banners and Cookie notices providing basic information, and that continued browsing then represented implied consent. This is no longer the case.
The GDPR introduced an enhanced standard of consent which requires consent to be obtained through an affirmative action. Therefore implied consent is no longer valid consent and all consent must be opt-in.
The ICOs’ Guidance tells us that we must obtain GDPR compliant consent prior to any non-essential Cookies being placed on a device. This can be consent from the subscriber (an employer or the person who pays for internet access) or the user. As stated this must be active, opt in consent.
Currently most Cookie banners do not seek opt in consent and so any Cookies placed on websites using these banners are unlawful.
Some websites have introduced compliant banners and you can see a relatively simple one the first time you visit the ICO website which provides information about the essential cookies that it sets, but asks for consent to set analytics cookies. This will be a great deal more complex where websites use several types of cookies, including performance, functionality and advertising; and where third party cookies from social media plug ins are part of the website.
There is a new law coming in relation to Cookies called the ePrivacy Regulation which will contain updated rules about setting Cookies and tracking technology on devices. There is no final view on what the Regulation will say and the content has changed over the last two years as the marketing industry and the privacy lobby battle this out.
However for now, Cookies have become an issue that the ICO has decided to address and therefore organisations running websites using Cookies will need to start addressing the compliance issues now.
Keep your organisation up to date with the latest opportunities and changes in commercial law with regular insight and updates from the experts at Davidson Chalmers Stewart.