What are the implications of the ICO’s latest publications on cookies and Adtech?

The ICO has been busy recently publishing guidance and a number of reports to help organisations understand their responsibilities under the new data privacy regime.

A couple of the more significant publications have been the update report on Adtech and the updated guidance on cookies. Any organisation that operates a website (so most of us!) or uses some form of online advertising (including for fundraising) should take note of these two publications because of their impact on how the ICO will expect compliance with data protection obligations online. Along with the Age Appropriate Design Code (due to be finalised later this year), these signals from the data protection regulator on how privacy issues will be regulated are absolutely critical to the future of online engagement.

Historically, what position has the ICO taken on cookies?

The ICO has never actually fined a UK organisation for failure to comply with the rules around use of cookies (or other tracking technologies). While other EU data protection authorities have enforced the cookie consent rule (for instance, in Spain) the ICO has trodden a more pragmatic path.

The rules themselves are found primarily in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (PECR), though of course consent under PECR must, since May 25th 2018, meet the standard of consent under the GDPR. The stricter requirement for consent under the GDPR is doubtless one of the reasons why the ICO has toughened up its position on cookie consent in these new guidelines. In its previous guidance on cookies, the ICO effectively permitted a form of implied consent to the use of cookies.

So what are the ICO’s new key messages on the use of cookies?

In the new guidance from the ICO, their key messages are:

  • Implied consent to the use of cookies is not acceptable – a clear and positive action is required from the user
  • You need to provide information to users about the cookies you intend to use and the purposes for which you intend to use them
  • If you use third party cookies (so cookies the website operator does not itself set) you must specifically name the third party and explain what they do with the information collected
  • You must allow users access to your website if they choose not to accept non-essential cookies i.e. you can’t put up a cookie wall demanding that a user accepts your cookies to access your website
  • You must ensure that any non-essential cookies are not placed on a user’s device when they visit your landing page
  • Essential cookies (those that are strictly necessary) mean those cookies that are essential to provide the service requested by the user; not what is essential to you as the website operator or a third party
  • Cookies used for analytics, advertising or tracking purposes, are not considered to be essential

How do we obtain valid consent for cookies?

If you’re using non-essential cookies, you must obtain consent (the GDPR standard of consent) before dropping a cookie on the user’s device. Consent must be freely given, specific and unambiguous and must be demonstrated by a clear affirmative action.

Providing a cookie banner which pops up on your landing page and which indicates to users that ‘by continuing to browse this website, you consent to our use of cookies’, is not going to cut it as valid consent under the GDPR. Additionally, a mechanism that offers users the ability to click ‘I Accept’ but, if they ignore, you still drop cookies on their device anyway, won’t be acceptable.

It is worth looking at how the ICO’s own practice for cookie compliance has now changed. Until recently, the ICO used a cookie banner which you could ignore in order to access the rest of the content on the ICO’s website. Now, when landing on the ICO’s website, users are presented with a banner covering half of the webpage explaining the types of cookies the ICO’s website uses. The banner includes an on/ off toggle button for analytics cookies (defaulted to off) and requires the user to click Save and Close in order to access the rest of the ICO’s website. So, it is not possible to access the ICO’s website unless and until the user clicks Save and Close.

Furthermore, reliance on browser settings to prove consent has become more complex. Previously a website could inform the user that he could control the way cookies were set on his device through browser settings and website operators could then rely on these pre-selected settings to argue that consent had been obtained. The ICO cautions that relying solely on browser settings will not now be sufficient. For consent to be clearly indicated, the ICO states that it would need to be clear that users had been prompted to consider their current browser settings and provided a positive action to confirm they accept the settings.

What if your website uses multiple cookies with various third parties? How are you going to obtain valid consent for them all? The ICO’s guidance indicates that both website operators and third parties have a responsibility to ensure users are clearly informed and to obtain their valid consent. Practically speaking, of course, the website operator will find it easier to obtain consent from users than third parties. The ICO discourages the use of long lists of cookies which a user would have to click through in order to accept/ reject cookies if this means a user will not interact with the mechanism or may not understand the information provided.

How often do we need to get new consents?

Additionally, the guidance indicates that organisations will need to consider when they need to obtain fresh consents. While this won’t necessarily be every time a user visits the website, you would need to obtain a fresh consent when you set a non-essential cookie from a new third party. This is because the requirement for consent to be specific and informed means that any previous consent obtained would not have included the details of this new third party.          

So what do we have to do now in order to use cookies?

Organisations should carry out a cookie audit to know what types of cookies/ trackers are used on their website(s) – and the ICO’s guidance has pointers on how to go about the audit. But this shouldn’t be a one-off check. You should be prepared to carry out an audit at regular intervals to ensure that the information you provide about cookies on your website is still accurate and to obtain any new consents that may be required.

If your website uses various non-essential cookies (especially third party cookies), you need to configure your consent mechanism so that you collect active consent. Implied consent is no longer acceptable.

You should also review the information you provide to users about cookies (whether in your privacy notice or in a separate cookie notice) to ensure that it accurately reflects the cookies you use and provides sufficient information to users. You need to consider how you are going to provide the information to users potentially using banners, pop-ups, message bars etc.

You should also check your presence on social media platforms. The guidance specifically indicates that if you have a presence on social media platforms, those platforms are likely to set cookies on users’ devices once they visit your pages there. Even though you don’t control the cookies that a social media platform sets, you do control the fact that you have a presence on that platform and this will usually enable you to determine what type of statistics you want to receive from the platform. In view of a recent decision from the Court of Justice of the EU, you will be a joint controller with that social media platform of any processing activity relating to personal data of users that visit your presence on that platform. The ICO is clear that this is the case even if you only receive anonymised statistical information from the platform since, in order to generate the statistics, the platform will process personal data. The ICO expects you to cover this activity in your privacy notice in order to inform individuals how they can control the setting of non-essential cookies once they visit these platforms, even if these consents cannot be covered by your consent mechanism.

What are the signs that the ICO is going to enforce the rules on cookies?

In its comments about compliance, the ICO indicates that the enforcement regime under PECR remains, for the time being, the regime that was in place under the Data Protection Act 1998 i.e. fines of up to £500,000. However, where personal data is involved, of course, the ICO now has the powers under the GDPR to fine.

Significantly, the ICO indicates that it is ‘unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals… the ICO is unlikely to prioritise first party cookies used for analytics purposes where these have a low privacy risk, or those that merely support the accessibility of sites and services, for regulatory action’.

This statement suggests that the use of analytics cookies could operate on UK websites without consent with very little risk of enforcement action from the ICO. This may be because under recent drafts of the forthcoming E-Privacy Regulation (due to replace the E-Privacy Directive 2002/58 – the  EU law that PECR implements) audience measurement cookies are not subject to the requirement for consent.

So everything on cookies is clear now, right?

Well, not entirely. There remains a degree of confusion concerning the ability for organisations to rely on another lawful basis (say, legitimate interest) for using personal data collected through cookies or other tracking technologies. On the one hand, the ICO’s guidance indicates that European data protection authorities have previously stated that, for any processing of personal data that follows (or depends on) the setting of cookies, it is highly likely that such processing requires consent as its lawful basis (under the GDPR). Yet, on the other hand, the ICO’s guidance does not completely rule out relying on an alternative legal basis that is not consent for subsequent processing beyond the setting of any cookies.

What about the future of Adtech?

And if the discussions about cookie consent aren’t complex enough, the ICO’s update report on Adtech also indicates that the regulator is increasingly concerned about the lawfulness of data processing by the Adtech industry. The report is primarily focused on the practice of real time bidding (RTB) in the Adtech industry – a process that many of us won’t know is happening when we are online and which involves a complicated ecosystem of different players. If you allow advertising on your website or place your adverts online, you may well be affected by RTB practices.

The ICO’s report lists a number of concerns. The sheer amount of data sharing involved in RTB feels, in the ICO’s opinion, disproportionate, intrusive and unfair. There is also a significant concern about the lack of transparency.  Additionally, in terms of a lawful basis for processing personal data for RTB, the ICO considers the ability to rely on the legitimate interest ground is limited and the methods through which consent are obtained are insufficient.  Where cookies/ trackers are used, the report indicates that consent will be required (overlapping with the ICO’s updated guidance on cookies). Where RTB involves special category data, the ICO considers the only applicable condition for lawful use is explicit consent.  

But the ICO stops short of declaring the entire practice of RTB unlawful and indicates that it will take a measured and iterative approach, before undertaking a further industry review in six months’ time.  This provides the Adtech industry with breathing space to consider whether further arguments can be advanced to deal with the ICO’s concerns as well as whether technical practical steps can be taken through frameworks such as the IAB’s Transparency and Consent Framework to meet the requirements set out by the ICO’s report.

This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of July 9, 2019.