Guidance for organisations on an increasingly important regulatory priority
In December 2020 both Google and Amazon were fined by the French data protection regulator, the CNIL, for placing cookies on user devices without obtaining prior consent or providing adequate information. They were fined €100 million and €35 million, respectively.
Specifically, Google were found to have:
- Placed a non-essential (advertising) cookie on user’s devices, when they visited the site google.fr; and
- Failed to provide sufficient information – a banner displayed at the bottom of the page with the note “Privacy reminder from Google” and two buttons (“Remind me later” and “Access now”) did not clearly inform users about the placement of cookies on their devices.
In addition, an “opposition mechanism” (which enabled a user to deactivate ad personalisation on the Google search) was partially defective, as one of the advertising cookies remained on the user’s device, reading information.
Amazon were found to have:
- automatically placed non-essential advertising cookies on the devices of those who visited their site (amazon.fr); and
Although current rules about cookies have been in place for some time, it was the coming into effect of the GDPR in 2018 and its strengthened concept of consent, that changed things – because of the effect it had on the meaning of consent required under “Cookie Law”.
What are cookies?
Cookies are small text files that can store a wealth of data. They are the primary tool used to track online activity which can be utilised for marketing/advertising purposes. In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their provenance.
The ICO categorises cookies as follows:
- Session cookies – These cookies are temporary and expire once a browser is closed (or when a session ends).
- Persistent cookies — These cookies remain on a hard drive until erased or they expire. All persistent cookies have an expiration date written into their code, but their duration can vary. According to Cookie Law, they should not last longer than 12 months.
- First-party cookies — cookies placed on a device directly by the service provider, e.g., the website being visited.
- Third-party cookies — cookies placed on a device by a third party like an advertiser or an analytics system.
- Strictly necessary cookies. These cookies are essential, e.g., to enable a website to be browsed. These cookies will generally be first-party session cookies. While you are not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
- Preferences cookies (aka ‘functional’ or ‘functionality’ cookies). These cookies allow a website to remember choices made by users, e.g., username and password.
- Statistics cookies (aka ‘analytics’ and ‘performance’ cookies). These cookies collect information e.g., which pages on a website are visited and which links are clicked on.
- Marketing cookies (aka ‘targeting’ cookies). These cookies track online activity.
Although these are the main ways of classifying cookies there are cookies that will not fit neatly into these categories or may qualify for multiple categories.
In the UK, the Privacy and Electronic Communications Regulations (PECR) sit alongside the UK GDPR to give individuals specific additional privacy rights. There are specific rules on (amongst other things) cookies and similar technologies. It is these rules which are referred to in this guidance as Cookie Law.
It is important to appreciate that the rules of the PECR are there to protect individuals – not organisations. This means that Cookie Law only applies to member of the public/an individual/a consumer, not to a company or other corporate entity.
NB: where Cookie Law applies this takes precedence over the UK GDPR. The ICO says: “This is important, because if you are setting cookies you need to consider PECR compliance first before you look to the UK GDPR.” This means that, if you are operating an online service, the easiest way to look at this is:
- if your online service stores information, or accesses information stored, on user devices you should ensure that comply with PECR first, including the requirements to provide information and obtain consent; and
- the UK GDPR applies to any processing of personal data outside of this storage or access.
NB: It is important to appreciate that cookies may not always be classed as personal data. However, Cookie Law applies whether or not the storage of or access to information on user devices involves processing personal data.
In summary, Cookie Law means that you must tell individuals if there are cookies and clearly explain what the cookies do and why. This means providing clear and comprehensive information that:
- Identifies the cookies intended to be used; and
- States the purposes for which it is intended to use them; and
- Sets out how long they will last for on a device (their duration)
It also means that you must obtain a user’s consent for all cookies that are not strictly necessary (see below).
Note: The same rules also apply if you use any other type of technology to store or gain access to information on someone’s device, including tracking pixels and plugins. From now on the term ‘cookies’ will be used to refer both to cookies and similar technologies.
Strictly necessary cookies
A cookie is strictly necessary if it is essential – rather than reasonably necessary – to provide a service requested by a user, to ensure security, or to comply with data protection law. It does not cover what might be essential for any other uses that the organisation setting the cookie might wish to make of that data. This means that the strictly necessary exemption has a narrow application, and that advertising and analytics cookies are not ‘strictly necessary’ and so do not fall outside the cookie consent rules. Whilst such cookies may be crucial from an advertising or marketing point of view, they are not ‘strictly necessary’ from the point of view of a user.
This means the same in Cookie Law as it does in the UK GDPR: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”.
- consent requires clear and positive action in order to be valid
- implied consent will not be valid
- non-essential cookies should not be pre-enabled (enabling a non-essential cookie without the user taking a positive action before it is set on their device is not valid consent – by doing this, the website operator is taking the choice away from the user).
In practice, this means that, on websites, none of the following statements are compliant with Cookie Law:
- ‘By continuing to use this website you are agreeing to cookies.
- ‘We’ve placed cookies on your device to help to improve your experience. By continuing to use the site you consent to this.’
- Pre-ticked boxes or equivalents such as sliders defaulted to ‘on’ (for non-essential cookies).
- Consent options that encourage users to ‘agree’ or ‘allow’ cookies over ‘reject’ cookies (‘nudge behaviour’).
- A consent mechanism that doesn’t allow a user to make a choice.
- Consent options which incorporate consent controls in a ‘more information’ option (if they do not allow users to make a choice before non-essential cookies are set).
Under the UK GDPR users are able to withdraw their consent at any time. This means that:
- Any consent mechanism must have the technical capability to allow users to withdraw their consent with the same ease that they gave it.
- Information must be provided about how consent can be withdrawn and how cookies that have already been set can be removed (in your consent mechanism or within your privacy or cookie policies).
- The consequences of withdrawing that consent should be made clear, for example, by explaining the impact on the functionality of the website.
Compliance with Cookie Law
Cookie consent mechanism: The ICO guidance says: “How you request consent for cookies will depend initially on what the cookies in use are doing and, to some extent, on the relationship you have with your users.” In other words, there is no prescribed way of going about obtaining consent.
However, you need to ensure that any consent mechanism puts users in control of cookies.
Not just websites
In light of an increased focus on the enforcement of Cookie Law by data protection regulators, all organisations should need to consider conducting a cookie audit to:
- identify the cookies in use
- check that cookie policies provide accurate and clear information about each cookie; and
- ensure that consent mechanisms enable users to control the setting of all non-essential cookies
This advisory, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.