Published on Monday, March 9, 2020 - 16:01 by Cameron Troake
Cookies are a valuable tool that can give your organisation a great deal of insight into your users’ online activities. The regulations governing cookies are currently split between the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulation (PECR), and the ePrivacy Directive, with the incoming ePrivacy Regulation set to be finalised later this year.
Cookies can trigger the collection of huge amounts of data – which can sometimes collect enough information to identify an individual without their consent through capturing personal data. Because of this, cookies are an increasing regulatory priority for the ICO.
In this article, we will help you understand what the GDPR, PECR and the ePrivacy Directive currently mandate about cookies, how to achieve cookie compliance and future activities from the ICO and the ePrivacy Regulation.
Before we dive into that, it’s important to firstly establish a basic understanding of the different cookie categories your website can use and how they work.
The three common ways of classifying cookies are: how long they last, their origin, and what purpose they serve on your website.
The growing concern over the privacy risks presented by cookies typically references third-party, persistent, marketing cookies. This is because these cookies can trigger the collection of significant amounts of personal information that could be used to identify an individual, and the chain of responsibility for who can access the data from a third-party cookie can get very convoluted – increasing the risk of abuse.
This will help the ICO to monitor organisations' adherence to the new rules around cookies, find the sectors where contact or enforcement action may be required, and identify areas where further guidance on cookie usage may be necessary.
The EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018, is the most comprehensive data protection legislation to date. However, it mentions cookies directly only once, in Recital 30.
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
What this paragraph mandates is that cookies, if they are used to identify users, qualify as personal data and are therefore subject to the GDPR. This means that organisation have the right to process their users’ personal data from cookies as long as they gain user consent or if they have a legitimate interest.
Regulation 6 of PECR states:
(1) … a person shall not store or gain access to information stored, in the terminal equipment (a device such as a phone or computer) of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
It’s important to note that PECR also applies to ‘similar technologies’ such as browser fingerprinting techniques. So, unless an exception applies, you cannot use any type of device fingerprinting without the provision of clear and comprehensive information, as well as gaining the consent of the user before you act.
PECR is based on the ePrivacy Directive and it sits beside the DPA 2018 and the GDPR. PECR provides specific regulations in relation to privacy and electronic communications, and when these rules apply they take priority over the DPA and the GDPR.
This is important to note, because if you are setting cookies you need to consider PECR compliance before you look at the GDPR. As a generalisation, PECR controls when you can drop cookies or executable code whilst the GDPR (Or DPA 2018) controls how you can use the data that might be processed as a result.
PECR also depends on data protection law for some of its definitions. For example, PECR takes the GDPR’s standard of consent:
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
This means you cannot use pre-ticked boxes or assume consent “by continuing to use this website” to obtain a user’s consent for setting cookies – they must agree to all cookies before you set them, using a clear affirmative action (except for strictly necessary cookies).
The ePrivacy Directive (EPD), passed in 2002 and amended in 2009, is also known as the “cookie law” because its most significant impact was the rise of cookie consent banners after it was passed, and is enacted in the UK by the PECR laws. It supplements, and occasionally overrides, the GDPR – by focusing on key aspects for the confidentiality of electronic communications and the tracking of online users more broadly. This will be replaced in time with the ePrivacy Regulation, which is outlined below.
To comply with the rules for cookies under the GDPR, PECR and the ePrivacy Directive you must:
The EPD’s upcoming replacement, the ePrivacy Regulation (EPR), will build on the EPD and expand its definitions.
The EPR was due to be passed in 2018 alongside the GDPR coming into force. Whilst the EU missed this goal because of the legislation’s depth and complexity, there are draft documents of the ePrivacy Regulation online, and it is now scheduled to be finalised in 2020.
In addition to replacing the ePrivacy Directive and local implementations (such as PECR), the EPR is set to address the laws for browser fingerprinting (in ways that are similar to cookies), create more robust safeguards for metadata, and examine new methods of communication (such as WhatsApp). We will have to wait and see how this applies in the UK now that Brexit has occurred.
As the regulators begin to focus more heavily on cookie compliance, and the ICO continues to draw attention to its reporting tools for non-compliance, organisations which don’t act quickly will have a lot more work to do – and in the worst instances, they will be singled out for non-compliance.
Do you need a hand ensuring your organisations approach to cookie law and similar technologies is compliant with the GDPR and ePrivacy Directive?
At DQM GRC, our expert cookie compliance consultants can help you find the balance between respecting your users’ privacy whilst still generating your online marketing revenue and tracking the statistics you need.
Our GDPR cookie compliance audits act as a starting point for cookie law, where our consultants can help you map how closely your website and cookie operations align to what the current and upcoming cookie regulations require.
Once we’ve completed our cookies assessment to map your current state of play, you will have a clear roadmap that will outline the areas which need to be addressed in order to achieve compliance. If required, our consultants can help you put these policies and processes in place.
If you are interested in any of our services then please either use the contact form or contact us via of the methods below: