Cookies hit the sweet spot for European regulators

Back
Digestive biscuit

Guidance for organisations on an increasingly important regulatory priority

In December 2020 both Google and Amazon were fined by the French data protection regulator, the CNIL, for placing cookies on user devices without obtaining prior consent or providing adequate information. They were fined €100 million and €35 million, respectively.

Specifically, Google were found to have:

  • Placed a non-essential (advertising) cookie on user’s devices, when they visited the site google.fr; and
  • Failed to provide sufficient information – a banner displayed at the bottom of the page with the note “Privacy reminder from Google” and two buttons (“Remind me later” and “Access now”) did not clearly inform users about the placement of cookies on their devices.

In addition, an “opposition mechanism” (which enabled a user to deactivate ad personalisation on the Google search) was partially defective, as one of the advertising cookies remained on the user’s device, reading information.

Amazon were found to have:

  • automatically placed non-essential advertising cookies on the devices of those who visited their site (amazon.fr); and
  • Failed to provide sufficient information. (The information banner, which stated that “By using this website, you accept our use of cookies allowing to offer and improve our services. Read more” did not provide sufficient information about the purpose of those cookies. It gave only general and approximate information about their purpose and failed to explain that users could refuse these cookies and how they could do this.

These staggeringly large fines follow a number of cookie-related cases across the EU, and are a useful reminder that, both in the UK and in the EU, there are rules about the use of cookies which seem to be an increasing area for regulators to focus on (and one that consumers are becoming more aware of and concerned about).

Although current rules about cookies have been in place for some time, it was the coming into effect of the GDPR in 2018 and its strengthened concept of consent, that changed things – because of the effect it had on the meaning of consent required under “Cookie Law”.

As a result, in July 2019 the ICO updated its guidance on the rules that apply to the use of cookies (and at the same time changed the cookie control mechanism on its own website to mirror the changes in the new guidance). The ICO said, when it published this guidance, “Cookie compliance will be an increasing regulatory priority for the ICO in the future.”

This, combined with the fact that new rules regarding the use of cookies are coming (in the EU and perhaps in the UK too), mean that these fines are timely reminder of the importance of complying with Cookie Law. Now is therefore the perfect time to reassess your organisation’s cookie compliance.

What are cookies?

Cookies are small text files that can store a wealth of data. They are the primary tool used to track online activity which can be utilised for marketing/advertising purposes. In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their provenance.

The ICO categorises cookies as follows:

Duration

  • Session cookies – These cookies are temporary and expire once a browser is closed (or when a session ends).
  • Persistent cookies — These cookies remain on a hard drive until erased or they expire. All persistent cookies have an expiration date written into their code, but their duration can vary. According to Cookie Law, they should not last longer than 12 months.

Provenance

  • First-party cookies — cookies placed on a device directly by the service provider, e.g., the website being visited.
  • Third-party cookies — cookies placed on a device by a third party like an advertiser or an analytics system.

Purpose

  • Strictly necessary cookies. These cookies are essential, e.g., to enable a website to be browsed. These cookies will generally be first-party session cookies. While you are not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
  • Preferences cookies (aka ‘functional’ or ‘functionality’ cookies). These cookies allow a website to remember choices made by users, e.g., username and password.
  • Statistics cookies (aka ‘analytics’ and ‘performance’ cookies). These cookies collect information e.g., which pages on a website are visited and which links are clicked on.
  • Marketing cookies (aka ‘targeting’ cookies). These cookies track online activity.

Although these are the main ways of classifying cookies there are cookies that will not fit neatly into these categories or may qualify for multiple categories.

Cookie Law

In the UK, the Privacy and Electronic Communications Regulations (PECR) sit alongside the UK GDPR to give individuals specific additional privacy rights. There are specific rules on (amongst other things) cookies and similar technologies. It is these rules which are referred to in this guidance as Cookie Law.

It is important to appreciate that the rules of the PECR are there to protect individuals – not organisations. This means that Cookie Law only applies to member of the public/an individual/a consumer, not to a company or other corporate entity.

NB: where Cookie Law applies this takes precedence over the UK GDPR. The ICO says: “This is important, because if you are setting cookies you need to consider PECR compliance first before you look to the UK GDPR.” This means that, if you are operating an online service, the easiest way to look at this is:

  • if your online service stores information, or accesses information stored, on user devices you should ensure that comply with PECR first, including the requirements to provide information and obtain consent; and
  • the UK GDPR applies to any processing of personal data outside of this storage or access.

NB: It is important to appreciate that cookies may not always be classed as personal data. However, Cookie Law applies whether or not the storage of or access to information on user devices involves processing personal data.

In summary, Cookie Law means that you must tell individuals if there are cookies and clearly explain what the cookies do and why. This means providing clear and comprehensive information that:

  • Identifies the cookies intended to be used; and
  • States the purposes for which it is intended to use them; and
  • Sets out how long they will last for on a device (their duration)

It also means that you must obtain a user’s consent for all cookies that are not strictly necessary (see below).

Note: The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device, including tracking pixels and plugins. From now on the term ‘cookies’ will be used to refer both to cookies and similar technologies.

Strictly necessary cookies

A cookie is strictly necessary if it is essential – rather than reasonably necessary – to provide a service requested by a user, to ensure security, or to comply with data protection law. It does not cover what might be essential for any other uses that the organisation setting the cookie might wish to make of that data. This means that the strictly necessary exemption has a narrow application, and that advertising and analytics cookies are not ‘strictly necessary’ and so do not fall outside the cookie consent rules. Whilst such cookies may be crucial from an advertising or marketing point of view, they are not ‘strictly necessary’ from the point of view of a user.

Consent

This means the same in Cookie Law as it does in the UK GDPR: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”.

This means that the user must be able to control the use of cookies and that:

  • consent requires clear and positive action in order to be valid
  • implied consent will not be valid
  • non-essential cookies should not be pre-enabled (enabling a non-essential cookie without the user taking a positive action before it is set on their device is not valid consent – by doing this, the website operator is taking the choice away from the user).

In practice, this means that, on websites, none of the following statements are compliant with Cookie Law:

  • ‘By continuing to use this website you are agreeing to cookies.
  • ‘We’ve placed cookies on your device to help to improve your experience. By continuing to use the site you consent to this.’
  • ‘We use cookies to give you the best online experience. By accessing this website, you give your consent to our use of cookies.’
  • ‘We use cookies to improve and personalise your experience. By continuing to use the site, you agree to our use of cookies.’
  • Pre-ticked boxes or equivalents such as sliders defaulted to ‘on’ (for non-essential cookies).
  • Consent options that encourage users to ‘agree’ or ‘allow’ cookies over ‘reject’ cookies (‘nudge behaviour’).
  • A consent mechanism that doesn’t allow a user to make a choice.
  • Consent options which incorporate consent controls in a ‘more information’ option (if they do not allow users to make a choice before non-essential cookies are set).

Under the UK GDPR users are able to withdraw their consent at any time. This means that:

  • Any consent mechanism must have the technical capability to allow users to withdraw their consent with the same ease that they gave it.
  • Information must be provided about how consent can be withdrawn and how cookies that have already been set can be removed (in your consent mechanism or within your privacy or cookie policies).
  • The consequences of withdrawing that consent should be made clear, for example, by explaining the impact on the functionality of the website.

Compliance with Cookie Law

In order to comply with Cookie Law, you need to provide information about cookies in such a way that the user will see it, and in a way that your intended or likely users will understand it, when they first visit your site or service. You need to facilitate a means to obtain consent (where needed) for the placing of cookies. This can be done via the combined use of a cookie policy and a cookie consent mechanism (aka cookie consent platform).

Cookie policy: The ICO guidance says you should provide information about cookies “in a privacy or cookie policy accessed through a link within the consent mechanism and at the top or bottom of your website”. The guidance also says long tables or detailed lists of all the cookies on the site “may be the type of information your users will want to consider” and that it may also be helpful to provide a broader explanation, for example, a description of the types of things you use analytics cookies for.

Cookie consent mechanism: The ICO guidance says:How you request consent for cookies will depend initially on what the cookies in use are doing and, to some extent, on the relationship you have with your users.” In other words, there is no prescribed way of going about obtaining consent.

However, you need to ensure that any consent mechanism puts users in control of cookies.

Not just websites

Cookie Law is not limited to websites. The PECR covers the use of cookies for storing information, and accessing information stored, on a user’s device. This means that where an organisation conducts digital marketing by sending out emails which incorporate a tracking pixel,, these emails are also covered by Cookie Law where the recipient’s email address is personal as opposed to business.

Conclusion

In light of an increased focus on the enforcement of Cookie Law by data protection regulators, all organisations should need to consider conducting a cookie audit to:

  • identify the cookies in use
  • check that cookie policies provide accurate and clear information about each cookie; and
  • ensure that consent mechanisms enable users to control the setting of all non-essential cookies

Disclaimer 
This advisory, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. 

Robert wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.