Cookies and the ICO, GDPR, PECR and ePrivacy Regulation
09/03/2020
Cookies are a valuable tool that can give your organisation great insight into your users’ online activities. The regulations governing cookies are currently split between the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulation (PECR), and the ePrivacy Directive, with the incoming ePrivacy Regulation set to be finalised later this year.
Cookies can trigger the collection of huge amounts of data – which can sometimes collect enough information to identify an individual without their consent through capturing personal data. Because of this, cookies are an increasing regulatory priority for the ICO.
This article will help you understand what the GDPR, PECR and the ePrivacy Directive currently mandate about cookies, how to achieve cookie compliance and future activities from the ICO and the ePrivacy Regulation.
Before we dive into that, it’s important to establish a basic understanding of the different cookie categories your website can use and how they work.
Cookie categories
The three common ways of classifying cookies are: how long they last, their origin, and what purpose they serve on your website.
Origin
- First-party cookies — cookies that are placed onto your device by the website you’re visiting.
- Third-party cookies — cookies that are put onto your device by a third-party, not the website owner – such as an advertiser or an analytics system, like Google Analytics.
Duration period
- Session cookies – These temporary cookies will expire once your session ends and you close the browser.
- Persistent cookies — This covers all the cookies that stay on your hard drive until you or your browser erases them, depending on the cookie’s expiration date. All persistent cookies have an expiration date programmed into their code, but the duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could stay on your device for a lot longer if you do not take action and manually erase them yourself.
Purpose
- Strictly necessary cookies — These cookies are necessary for you to browse the website and use its features, such as saving items into a shopping cart or logging into secure areas of the website. These cookies will typically be first-party session cookies, and whilst it’s not necessary to obtain consent for these cookies, what they do and why they are required needs to be explained to the user in the cookie banner.
- Functionality cookies (also called “preferences cookies”) - these enable a website to remember the choices you have made in the past, such as what language you prefer, which location you want the weather report for, or your username and password so you can automatically log in.
- Performance cookies (also known as “statistics cookies”) - these collect data on how you used a website, such as which links you clicked and which web pages you visited – but this information cannot be used to identify you. All the data is aggregated and anonymised, and the sole purpose of performance cookies is to improve a website’s functions. These can include third-party cookies from an analytics service provider, as long as the cookies are for the exclusive use of the website owner.
- Marketing cookies — These monitor your online activity and enable advertisers to deliver more relevant marketing or limit how many times an ad is shown. These cookies can share the information they gather with other companies. These are persistent and usually third-party cookies.
The growing concern over the privacy risks presented by cookies typically references third-party, persistent, marketing cookies. This is because these cookies can trigger the collection of significant amounts of personal information that could be used to identify an individual. The chain of responsibility for who can access the data from a third-party cookie can get very convoluted – increasing the risk of abuse.
Cookies and the ICO
The ICO is now calling for anyone concerned about a website’s use of cookies to let them know using the ICO’s 'Report your cookie concerns' tool – making reporting a non-compliant website as easy as reporting a nuisance phone call.
This will help the ICO monitor organisations' adherence to the new rules around cookies, find the sectors where contact or enforcement action may be required, and identify areas where further guidance on cookie usage may be necessary.
Cookies and the GDPR
The EU General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 are the most comprehensive data protection legislation to date. However, it mentions cookies directly only once, in Recital 30.
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
This paragraph mandates that cookies, if they are used to identify users, qualify as personal data and are therefore subject to the GDPR. This means that organisations have the right to process their users’ personal data from cookies as long as they gain user consent or have a legitimate interest.
PECR and cookie consent
Regulation 6 of PECR states:
(1) … a person shall not store or gain access to information stored, in the terminal equipment (a device such as a phone or computer) of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
This means that to use cookies, you need to:
- Outline which cookies will be set.
- Explain what those cookies will do.
- Gain consent to store cookies on devices.
It’s important to note that PECR also applies to ‘similar technologies’ such as browser fingerprinting techniques. So, unless an exception applies, you cannot use any type of device fingerprinting without the provision of clear and comprehensive information and, gaining the consent of the user before you act.
What takes precedence, PECR or the GDPR?
PECR is based on the ePrivacy Directive, and it sits beside the DPA 2018 and the GDPR. PECR provides specific regulations in relation to privacy and electronic communications, and when these rules apply, they take priority over the DPA and the GDPR.
This is important to note because if you are setting cookies, you need to consider PECR compliance before looking at the GDPR. As a generalisation, PECR controls when you can drop cookies or executable code, whilst the GDPR (Or DPA 2018) controls how you can use the data that might be processed as a result.
PECR also depends on data protection law for some of its definitions. For example, PECR takes the GDPR’s standard of consent:
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
This means you cannot use pre-ticked boxes or assume consent “by continuing to use this website” to obtain a user’s consent for setting cookies – they must agree to all cookies before you set them, using a clear affirmative action (except for strictly necessary cookies).
Cookies and ePrivacy Directive
The ePrivacy Directive (EPD), passed in 2002 and amended in 2009, is also known as the “cookie law” because its most significant impact was the rise of cookie consent banners after it was passed and is enacted in the UK by the PECR laws. It supplements and occasionally overrides the GDPR by focusing on key aspects for the confidentiality of electronic communications and the tracking of online users more broadly. This will be replaced in time with the ePrivacy Regulation, outlined below.
Cookie compliance
To comply with the rules for cookies under the GDPR, PECR and the ePrivacy Directive, you must:
- Ensure you have gained freely given, specific, informed and unambiguous consent from a user before you drop any cookies on them, except strictly necessary cookies.
- Provide accurate and precise information on what data each cookie collects and its purpose. This should be written in plain, user-friendly language and displayed before consent is received.
- Document and store consent received from users.
- Allow users to access your online service even if they don’t allow you to use certain cookies.
- Ensure it is as easy for users to withdraw their consent as it was for them to provide their consent in the first instance.
- Adhere to the more general regulation in the GDPR
ePrivacy Regulation
The EPD’s upcoming replacement, the ePrivacy Regulation (EPR), will build on the EPD and expand its definitions.
The EPR was due to be passed in 2018 alongside the GDPR coming into force. Whilst the EU missed this goal because of the legislation’s depth and complexity, there are draft documents of the ePrivacy Regulation online, and it is now scheduled to be finalised in 2020.
In addition to replacing the ePrivacy Directive and local implementations (such as PECR), the EPR is set to address the laws for browser fingerprinting (in ways that are similar to cookies), create more robust safeguards for metadata, and examine new methods of communication (such as WhatsApp). We will have to wait and see how this applies in the UK now that Brexit has occurred.
The regulations governing cookies are still being set, and cookies are constantly evolving, so maintaining a current and compliant cookie policy is a continuous job.
Many organisations still do not have a GDPR compliant website or cookie policy.
As the regulators begin to focus more heavily on cookie compliance and the ICO continues to draw attention to its reporting tools for non-compliance, organisations which don’t act quickly will have a lot more work to do – and in the worst instances, they will be singled out for non-compliance.
Cookie compliance audits
Do you need a hand ensuring your organisation's approach to cookie law and similar technologies is compliant with the GDPR and ePrivacy Directive?
At DQM GRC, our expert cookie compliance consultants can help you balance respecting your users’ privacy whilst still generating your online marketing revenue and tracking the statistics you need.
Our GDPR cookie compliance audits act as a starting point for cookie law, where our consultants can help you map how closely your website and cookie operations align to what the current and upcoming cookie regulations require.
Once we’ve completed our cookies assessment to map your current state of play, you will have a clear roadmap that will outline the areas which need to be addressed to achieve compliance. If required, our consultants can help you put these policies and processes in place.
Learn more about our cookie optimisation assessment service
If you’d like to get started today and find out more about our cookies compliance audit, get in touch with one of our expert cookie compliance consultants, call us on 01494 442900, or complete our enquiry form below.