Menu

GDPR, ePrivacy and cookies: an update

Laptop Print publication

07/05/2019

Walker Morris risk series stampOne of the key changes introduced by the EU General Data Protection Regulation (GDPR) on 25 May 2018 was a higher, more stringent, standard of consent, requiring a statement or clear affirmative action by the data subject. As the Information Commissioner’s Office (ICO) explains in its Guide to the GDPR, the change in definition is only the starting point for the GDPR standard of consent. For example, there are specific provisions on keeping records of consent, clarity and prominence of consent requests, the right to withdraw consent, and avoiding making consent a condition of a contract.

For many organisations, this has meant reviewing the lawful basis or bases likely to be most appropriate for their processing of personal data and looking to identify alternatives where consent is difficult to obtain. In this briefing, Walker Morris data protection and privacy experts Jeanette Burgess and Andrew Northage consider the changing landscape and practical implications in an area which continues to be dependent on consent: the use of cookies.

Cookies – which laws apply and what has changed?

Prior to the GDPR and the new UK Data Protection Act 2018, which sit alongside each other, the relevant UK legislation applicable to the use of cookies comprised the Data Protection Act 1998 (which implemented the EU Data Protection Directive [1], the predecessor to GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which implement the EU ePrivacy Directive [2].

The PECR complement the data protection regime and contain, among other things, specific rules on cookies and similar technologies. As the ICO explains in its Guide to PECR, the basic rule is that organisations wishing to use cookies must: tell people the cookies are there; explain what the cookies are doing and why; and get the person’s consent to store a cookie on their device. The following definition of consent in the Data Protection Directive used to apply: “… any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”. The consent also had to be “unambiguously given”.

A new EU ePrivacy Regulation (replacing the ePrivacy Directive and therefore the PECR) was originally intended to apply at the same time as GDPR, to form a comprehensive package, but progress has stalled in Europe. Among other things, including bringing fines in line with those under GDPR, the draft ePrivacy Regulation proposed substantial changes to how consent for cookies is obtained, which could spell the end of the traditional cookie banner. The ICO has said that the PECR will continue to apply until the ePrivacy Regulation is finalised, but with the following GDPR definition of consent: “… any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

As part of an apparent tidying-up exercise designed to ensure that the data protection legal framework functions properly after Brexit, the PECR were recently formally amended to refer to the GDPR definition of consent [3].

What does this mean in practice?

Until the ePrivacy Regulation is finalised, regrettably the ICO is unlikely to update its stand alone May 2012 cookies guidance, which would have helped provide some welcome and much needed clarity on applying the new standard in this area. That guidance is, however, still directly referred to in the ICO’s recently updated Guide to PECR mentioned above, which does cover changes made by GDPR. We understand that the cookies guidance is still being referred to because the ICO considers that it is still instructive overall. However, in relation to the issue of consent, it is clear that things have now moved on. In particular, simply continuing to use a website is not enough to signal user consent. In reality, many organisations are still playing catch-up when it comes to cookie compliance.

Key points to take away from the ICO’s Guide to PECR are:

  • To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link – and the person must fully understand that they are giving you consent.
  • You cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to find, difficult to understand, or rarely read.
  • Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website.
  • To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do.
  • You should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data such as health details, or those used for behavioural tracking.
  • There are exemptions for certain types of cookies, but it is still good practice to provide users with information about these cookies, even if you do not need consent.
  • The PECR apply to all cookies, even if the data is anonymous.
  • If your cookie data is not anonymous, you will also need to comply with the Data Protection Act 2018 and the GDPR (it is assumed that this is a reference to compliance with the wider provisions of those pieces of legislation, i.e. not just in relation to consent).

The Guide to PECR contains a link through to the ICO’s consent guidance, which is contained in its Guide to the GDPR. Its detailed guidance on consent goes on to explain in more detail what is meant by the different elements of the GDPR definition of consent. Regarding what is meant by ‘unambiguous indication (by statement or clear affirmative action)’, note in particular the following:

The key point is that all consent must be opt-in consent, i.e. a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent.”

In explaining what is meant by ‘explicit consent’ (which can legitimise automated decision-making, including profiling), the detailed consent guidance makes a distinction between the data subject signifying agreement by a statement (which would count as explicit consent), or by a clear affirmative action (which would not).

Importantly, the detailed consent guidance also states that, if you need consent to place cookies, this needs to meet the GDPR standard. However, you may still be able to consider an alternative lawful basis such as legitimate interests for any associated processing of personal data.

One further issue that can cause compliance headaches in relation to cookies is that the limits of currently available technology mean that, for many organisations, cookies are often placed without the user’s consent. This includes, for example, when they are placed immediately, i.e. before the user has had a chance to consider and select their consent options, or where the technology is unable to differentiate or disapply cookies to match user selection.

Given that the ICO recognises the various issues surrounding cookie consent, it is more likely to use its remit to educate non-compliant organisations, than impose financial penalties.

WM comment and practical advice

GDPR has not altered the fact that you still need consent to place cookies on a user’s device. The GDPR sets a high standard for consent but, as the ICO explains, the biggest change is what this means in practice for consent mechanisms.

The higher GDPR standard means that you need clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent. Organisations should ensure that their consent mechanisms meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn, and that they follow the key points set out in the ICO’s Guide to PECR in relation to cookies specifically. Remember that you need to name any third party controllers, such as advertising partners, who will rely on the consent. Cookie consent management tools and other IT solutions may assist. Contracts should be reviewed to ensure that any obligations and other provisions in relation to consent are clear and are being met by the relevant party in line with GDPR requirements.

Should you have any queries or require any assistance in relation to any of the points raised in this briefing, please do not hesitate to contact Jeanette or Andrew, who will be very happy to help.

_______________

[1] Directive 95/46/EC
[2] Directive 2002/58/EC
[3] The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419)

Contacts