Tips on meeting your legal requirements from our head of consultancy
Louise Brooks is the head of consultancy at DQM GRC, advising organisations on data protection laws like the GDPR and PECR (General Data Protection Regulation and Privacy and Electronic Communications Regulations) to help them fulfil their privacy obligations while continuing to meet their business objectives.
In our previous interview, we got Louise’s insights into the ICO’s (Information Commissioner’s Office) ultimatum letters on cookies. The ICO has now published those letters.
We chatted to Louise again to find out what she thinks about those letters, and get her tips on how to meet your cookie requirements without compromising your business objectives.
So, the ICO has published the ultimatum letters. What do you make of them?
They are pretty much as I expected. The issues the ICO is raising are those that I most frequently come across when conducting cookie assessments for clients.
That said, it’s slightly surprising that all the websites lacked a cookie banner entirely. I expected most of them to have one, but for it to be non-compliant.
How can organisations improve their cookie banners without hampering their business objectives?
I don’t think many organisations have considered the cookie banner experience from a user perspective. For example, I might look at a web page, engage with the cookie banner, close the web page, then go back to it again later that day and get presented with the same cookie banner, even though I didn’t clear my cache or anything like that.
That’s annoying. And I think it shows that there’s a disconnect between the law, web developers and the organisation’s business objectives.
The primary focus for organisations is, understandably, to sell themselves, whether that’s a product, a service or a charitable idea. That’s what drives them, and compliance is often seen as just an add-on. But it doesn’t need to be that way.
As far as the PECR go, I would struggle to believe that the organisations the ICO has written to haven’t heard of the Regulations. They will know that there are cookie rules but are actively choosing not to engage with them. The Regulations aren’t new law!
So, organisations should be thinking about the user experience and asking questions like:
- What cookies are we using?
- Why are we using them?
- How long do they last?
- How often do the cookies we use change?
- What third parties put cookies on our website?
- How does all this impact our cookie banner and policy?
Organisations just don’t think about the user journey, and that’s why people get annoyed with cookie banners. Those banners seem to be everywhere, they’re often very disruptive, and it’s easy to get confused over what buttons to click if you’re in a rush, as there are so many different types of banners.
Are cookie banners the best way of achieving compliance? Or is there a better solution available?
That’s a really interesting question. I don’t think I’m technically minded enough to really understand what the alternatives are, but the PECR don’t specifically require cookie banners.
The Regulations only require that you inform people of what cookies you’re using, and that you must obtain consent where they’re not strictly necessary.* That’s all the law says – it’s not prescriptive about the practical implementation of compliance. Regardless, a ubiquitous solution that has come forward is the cookie banner, which may or may not include buttons to toggle things on and off, accept or reject things, set preferences, etc.
I don’t know if there’s an alternative out there that’s better, though I suppose you could argue for it to be device-led. So, it’d be the individual’s responsibility to set their device in such a way that they manage their cookies themselves.
However, the difficulty with putting the onus on the individual, rather than the organisation, is that most people either don’t understand cookies, don’t care about them, or both. And as such, it doesn’t solve the problem, which is, of course, what the PECR are trying to achieve: preserving the rights and freedoms of individuals by stopping them from being tracked across the Internet and/or marketed to without their knowledge or consent.
[*The table below – taken from page 8 of GDPR and PECR – A guide for marketers, available for free download – shows when cookies are and aren’t exempt from consent.]
The DQM white paper outlines the conditions for obtaining consent, so let’s take a different tack: what do organisations often get wrong when it comes to consent?
The first thing that springs to mind are all these nudge techniques, like colouring the ‘accept all’ button blue and leaving the ‘reject all’ button white. Or the ‘accept all’ button might be bigger than the ‘reject all’ button. Either way, they encourage users to accept all cookies, and make it harder to reject them – that’s not compliant.
The withdrawing of consent is another common issue. It’s got to be as easy to withdraw consent as it was to provide it. So, in my opinion [others may consider something else to be compliant], once you’ve engaged with the banner and accepted the cookies, a compliant website should have a little button in the corner, with a picture of a cookie or an equivalent. If you click that, it’ll take you to a preference management system, where you can withdraw your consent or otherwise change your initial cookie selection.
And of course, that’s assuming that the website allows you to change your preferences at all. Many organisations don’t have a preference management system, so you can only withdraw your consent by either resetting your browser or contacting the organisation. Those scenarios clearly don’t comply with the law.
With some of the changes on the horizon – like the DPDI Bill [Data Protection and Digital Information Bill] for the UK, and these ICO ultimatum letters – can you foresee any other challenges or issues around cookies?
In terms of the cookie letters, the obvious one is that the ICO fails to take meaningful follow-up action against those organisations that aren’t compliant by the deadline. But we already talked about that last time.
In terms of issues around cookie compliance in general, for UK organisations, the DPDI Bill will change the landscape if it’s passed in its current form. This Bill would move analytics cookies from non-essential to essential, which would change how cookie banners are presented.
The DPDI Bill would, in that case, make the UK take a laxer approach to cookies than the EU. Would that result in further compliance issues or challenges?
By the very nature of the Internet, with people being able to access anything from anywhere, UK organisations may well struggle with the practicalities of meeting two very different sets of requirements on the same subject matter.
Very likely, we’d see one of two things:
- Websites present different things depending on the user’s location.
- Websites continue to meet the stricter set of rules – in this case, the EU’s.
Either way, I doubt that the UK government will achieve what it set out to do – making the cookie laws more business-friendly. Because any organisation operating in multiple territories will have an extra layer of complexity to contend with, due to the dual regulation with different rules. And while big organisations are well-versed in that type of thing, I think it’ll be the smaller organisations that may struggle.
To further complicate things, the EU wants to update the ePrivacy Directive with the ePrivacy Regulation. Admittedly, that’s been on a rolling boil for a very long time – it was meant to come into effect at the same time as the GDPR, back in May 2018, but they couldn’t agree on what the ePrivacy Regulation should look like.
Regardless, the EDPB [European Data Protection Board] did recently publish new guidelines on the ePrivacy Directive, suggesting that the topic isn’t completely off the agenda.
We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. Please do leave a comment below to let us know what you think, and if you have any questions you’d like our experts to answer.
We’ll be back next week, chatting to another expert within the Group.
In the meantime, if you missed it, check out last week’s blog, where data privacy and cyber trainer Andrew Snow gave us his expert insights into the recent landmark ECJ (European Court of Justice) ruling.
Alternatively, download our free white paper GDPR and PECR – A guide for marketers.
Free PDF download: GDPR and PECR – A guide for marketers
This free white paper explains what you need to do to ensure your marketing activities are lawful, including how to meet the PECR’s cookie requirements.
Download it now to discover:
- The key requirements of privacy laws around marketing;
- How to determine whether you are permitted to rely on the soft opt-in or must obtain consent; and
- Best practice for using cookies and other tracking technologies.