A couple of the more significant publications have been the update report on Adtech and the updated guidance on cookies. Any organisation that operates a website (so most of us!) or uses some form of online advertising (including for fundraising) should take note of these two publications because of their impact on how the ICO will expect compliance with data protection obligations online. Along with the Age Appropriate Design Code (due to be finalised later this year), these signals from the data protection regulator on how privacy issues will be regulated are absolutely critical to the future of online engagement.
Historically, what position has the ICO taken on cookies?
In the new guidance from the ICO, their key messages are:
- You need to provide information to users about the cookies you intend to use and the purposes for which you intend to use them
- If you use third party cookies (so cookies the website operator does not itself set) you must specifically name the third party and explain what they do with the information collected
- You must allow users access to your website if they choose not to accept non-essential cookies i.e. you can’t put up a cookie wall demanding that a user accepts your cookies to access your website
- You must ensure that any non-essential cookies are not placed on a user’s device when they visit your landing page
- Essential cookies (those that are strictly necessary) mean those cookies that are essential to provide the service requested by the user; not what is essential to you as the website operator or a third party
- Cookies used for analytics, advertising or tracking purposes, are not considered to be essential
How do we obtain valid consent for cookies?
If you’re using non-essential cookies, you must obtain consent (the GDPR standard of consent) before dropping a cookie on the user’s device. Consent must be freely given, specific and unambiguous and must be demonstrated by a clear affirmative action.
It is worth looking at how the ICO’s own practice for cookie compliance has now changed. Until recently, the ICO used a cookie banner which you could ignore in order to access the rest of the content on the ICO’s website. Now, when landing on the ICO’s website, users are presented with a banner covering half of the webpage explaining the types of cookies the ICO’s website uses. The banner includes an on/ off toggle button for analytics cookies (defaulted to off) and requires the user to click Save and Close in order to access the rest of the ICO’s website. So, it is not possible to access the ICO’s website unless and until the user clicks Save and Close.
Furthermore, reliance on browser settings to prove consent has become more complex. Previously a website could inform the user that he could control the way cookies were set on his device through browser settings and website operators could then rely on these pre-selected settings to argue that consent had been obtained. The ICO cautions that relying solely on browser settings will not now be sufficient. For consent to be clearly indicated, the ICO states that it would need to be clear that users had been prompted to consider their current browser settings and provided a positive action to confirm they accept the settings.
What if your website uses multiple cookies with various third parties? How are you going to obtain valid consent for them all? The ICO’s guidance indicates that both website operators and third parties have a responsibility to ensure users are clearly informed and to obtain their valid consent. Practically speaking, of course, the website operator will find it easier to obtain consent from users than third parties. The ICO discourages the use of long lists of cookies which a user would have to click through in order to accept/ reject cookies if this means a user will not interact with the mechanism or may not understand the information provided.
How often do we need to get new consents?
Additionally, the guidance indicates that organisations will need to consider when they need to obtain fresh consents. While this won’t necessarily be every time a user visits the website, you would need to obtain a fresh consent when you set a non-essential cookie from a new third party. This is because the requirement for consent to be specific and informed means that any previous consent obtained would not have included the details of this new third party.
Organisations should carry out a cookie audit to know what types of cookies/ trackers are used on their website(s) – and the ICO’s guidance has pointers on how to go about the audit. But this shouldn’t be a one-off check. You should be prepared to carry out an audit at regular intervals to ensure that the information you provide about cookies on your website is still accurate and to obtain any new consents that may be required.
If your website uses various non-essential cookies (especially third party cookies), you need to configure your consent mechanism so that you collect active consent. Implied consent is no longer acceptable.
You should also review the information you provide to users about cookies (whether in your privacy notice or in a separate cookie notice) to ensure that it accurately reflects the cookies you use and provides sufficient information to users. You need to consider how you are going to provide the information to users potentially using banners, pop-ups, message bars etc.
You should also check your presence on social media platforms. The guidance specifically indicates that if you have a presence on social media platforms, those platforms are likely to set cookies on users’ devices once they visit your pages there. Even though you don’t control the cookies that a social media platform sets, you do control the fact that you have a presence on that platform and this will usually enable you to determine what type of statistics you want to receive from the platform. In view of a recent decision from the Court of Justice of the EU, you will be a joint controller with that social media platform of any processing activity relating to personal data of users that visit your presence on that platform. The ICO is clear that this is the case even if you only receive anonymised statistical information from the platform since, in order to generate the statistics, the platform will process personal data. The ICO expects you to cover this activity in your privacy notice in order to inform individuals how they can control the setting of non-essential cookies once they visit these platforms, even if these consents cannot be covered by your consent mechanism.
What are the signs that the ICO is going to enforce the rules on cookies?
In its comments about compliance, the ICO indicates that the enforcement regime under PECR remains, for the time being, the regime that was in place under the Data Protection Act 1998 i.e. fines of up to £500,000. However, where personal data is involved, of course, the ICO now has the powers under the GDPR to fine.
Significantly, the ICO indicates that it is ‘unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals… the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action’.
This statement suggests that the use of analytics cookies could operate on UK websites without consent with very little risk of enforcement action from the ICO. This may be because under recent drafts of the forthcoming E-Privacy Regulation (due to replace the E-Privacy Directive 2002/58 – the EU law that PECR implements) audience measurement cookies are not subject to the requirement for consent.
So everything on cookies is clear now, right?
Well, not entirely. There remains a degree of confusion concerning the ability for organisations to rely on another lawful basis (say, legitimate interest) for using personal data collected through cookies or other tracking technologies. On the one hand, the ICO’s guidance indicates that European data protection authorities have previously stated that, for any processing of personal data that follows (or depends on) the setting of cookies, it is highly likely that such processing requires consent as its lawful basis (under the GDPR). Yet, on the other hand, the ICO’s guidance does not completely rule out relying on an alternative legal basis that is not consent for subsequent processing beyond the setting of any cookies.
What about the future of Adtech?
And if the discussions about cookie consent aren’t complex enough, the ICO’s update report on Adtech also indicates that the regulator is increasingly concerned about the lawfulness of data processing by the Adtech industry. The report is primarily focused on the practice of real time bidding (RTB) in the Adtech industry – a process that many of us won’t know is happening when we are online and which involves a complicated ecosystem of different players. If you allow advertising on your website or place your adverts online, you may well be affected by RTB practices.
The ICO’s report lists a number of concerns. The sheer amount of data sharing involved in RTB feels, in the ICO’s opinion, disproportionate, intrusive and unfair. There is also a significant concern about the lack of transparency. Additionally, in terms of a lawful basis for processing personal data for RTB, the ICO considers the ability to rely on the legitimate interest ground is limited and the methods through which consent are obtained are insufficient. Where cookies/ trackers are used, the report indicates that consent will be required (overlapping with the ICO’s updated guidance on cookies). Where RTB involves special category data, the ICO considers the only applicable condition for lawful use is explicit consent.
But the ICO stops short of declaring the entire practice of RTB unlawful and indicates that it will take a measured and iterative approach, before undertaking a further industry review in six months’ time. This provides the Adtech industry with breathing space to consider whether further arguments can be advanced to deal with the ICO’s concerns as well as whether technical practical steps can be taken through frameworks such as the IAB’s Transparency and Consent Framework to meet the requirements set out by the ICO’s report.
All content on this page is correct as of July 9, 2019.