• Edinburgh: 0131 625 9191
  • Glasgow: 0141 428 3258
  • Galashiels: 01896 550991
Chocolate chip cookies

Are Cookies Crumbling?

Date: 03/07/2019 | Business & Professional Services, Data Protection & Information Law

Yesterday the ICO published new Guidance in relation to Cookies and similar technology which means that the Cookie banners that many websites currently use are no longer adequate and no longer provide a legal basis for placing Cookies and other similar technologies on devices.  It also applies to mobile apps which set Cookies.  This is a significant change in approach for the ICO who have interpreted the law in this area in a relaxed manner, until now.

The advice is for organisations, including web developers, to start working towards compliance by carrying out a Cookie audit and documenting decisions and steps taken to comply with the new Guidance. Technology will have a part to play and the ICO recognises the challenges that this will present. In its blog of 3 July 2019 it states:

Cookie compliance will be an increasing regulatory priority for the ICO in the future. However, as is the case with all our powers, any future action would be proportionate and risk-based.  Start working towards compliance now – undertake a cookie audit, document your decisions, and you will have nothing to fear.

So do not panic, but do start to address compliance issues now.

PECRs

The law in relation to placing Cookies and other similar tracking technologies (pixels, fingerprinting etc which I will refer to collectively as Cookies) is set out in regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 known as PECRs.

These technologies have developed over recent years and can be placed by those operating the website to provide information about how effective their website is, or can be placed by third parties who can then track an individual’s use of that website and other websites.  Some technologies can track an individual even if they are using a different device to access the website.  Some also track the location of mobile devices.  The invasive nature of cookies varies and can be difficult to understand.  Sometimes they gather personal data and sometimes they do not, but any technology which can access information on a device must only be used in compliance with regulation 6 of PECRs.

Consent

If Cookies are placed on an end user’s device allowing someone to gain access to information stored in the device, then consent is required under regulation 6 of PECRs, unless the Cookies are essential for the provision of the service.  Regulation 6 also requires clear and comprehensive information to be provided about the purpose and storage of the information accessed from the end user’s device.

This law was introduced in May 2011 and following its introduction most EU Regulators, including the ICO, accepted that consent could be obtained through Cookie banners and Cookie notices providing basic information, and that continued browsing then represented implied consent. This is no longer the case.

The GDPR introduced an enhanced standard of consent which requires consent to be obtained through an affirmative action.  Therefore implied consent is no longer valid consent and all consent must be opt-in.

Guidance

The ICOs’ Guidance tells us that we must obtain GDPR compliant consent prior to any non-essential Cookies being placed on a device.  This can be consent from the subscriber (an employer or the person who pays for internet access) or the user.  As stated this must be active, opt in consent.

Currently most Cookie banners do not seek opt in consent and so any Cookies placed on websites using these banners are unlawful.

Some websites have introduced compliant banners and you can see a relatively simple one the first time you visit the ICO website which provides information about the essential cookies that it sets, but asks for consent to set analytics cookies.  This will be a great deal more complex where websites use several types of cookies, including performance, functionality and advertising; and where third party cookies from social media plug ins are part of the website.

Headlines

  • Non-essential Cookies should not be set before consent is provided.  The default must be to switch Cookies off.
  • Consent should not be opt-out, but must be obtained by an affirmative action as per the GDPR requirements.
  • You may also need consent to use the information gathered by Cookies, if it is personal data or can be combined with other information you hold to identify an individual and the processing in invasive.  Targeted advertising is likely to fall into this category.
  • You will also need consent to use pixel technology that tracks interactions with emails that you send.
  • Information must be provided about why Cookies are being used
  • If you are using technology that allows third parties to place Cookies, you must obtain separate consent and provide information about what use is made of the information by the third parties. This includes social media plug ins. 
  • Consent should be as easy to withdraw as it is to provide
  • Consent may require to be refreshed each time someone visits, but this depends on whether you have updated your website and how frequently they visit your website.  Consent to Cookies will not last forever.

Advice

There is a new law coming in relation to Cookies called the ePrivacy Regulation which will contain updated rules about setting Cookies and tracking technology on devices.  There is no final view on what the Regulation will say and the content has changed over the last two years as the marketing industry and the privacy lobby battle this out.

However for now, Cookies have become an issue that the ICO has decided to address and therefore organisations running websites using Cookies will need to start addressing the compliance issues now.

Disclaimer 
The matter in this publication is based on our current understanding of the law.  The information provides only an overview of the law in force at the date hereof and has been produced for general information purposes only. Professional advice should always be sought before taking any action in reliance of the information. Accordingly, Davidson Chalmers Stewart LLP does not take any responsibility for losses incurred by any person through acting or failing to act on the basis of anything contained in this publication.

Written by

Laura Irvine | Davidson Chalmers Stewart
Laura Irvine

Latest Updates

Want to get even more insight from Davidson Chalmers Stewart?

Keep your organisation up to date with the latest opportunities and changes in commercial law with regular insight and updates from the experts at Davidson Chalmers Stewart.

Let's Talk

A typical law firm? Not really. But a partner for the people and businesses we work with? Absolutely.

Our determination to do things a better way is nothing without our clients. So if you like what you see and think we’d make a good team, let’s talk. Pick up the phone and call us direct or make specific enquiries to our individual email addresses across the website. Alternatively use the form to submit general questions and comments.

Either way, we’ll get the message.

Edinburgh

t0131 625 9191

Glasgow

t0141 428 3258

Galashiels

t01896 550991

Let's Talk form