The cookie monster… how to stay the right side of the law
This article was first written by Debbie Venn, DMH Stallard – Partner (Commercial, IT/IP and Travel) for Travel Law Today issue eight, which can be download at abta.com/travellawtoday
What are cookies?
Cookies are often categorised as either ‘session cookies’ (stored for the browser session), ‘persistent cookies’ (stored between browsing sessions), ‘first-party cookies’ (placed by the website itself to track user journeys on the website), or ‘third-party cookies’ (planted by parties other than website operators, for the purposes of behavioural advertising or other use). Users are able to block first-party and third-party cookies.
Cookies are generally categorised as:
- Strictly necessary cookies – required for the operation of a website;
- Analytical or performance cookies – allow online providers to recognise and count visitors to their website and see how their website is used;
- Functionality cookies – recognise users and enable personalisation of content;
- Targeting cookies – detail pages of a website visited and links followed, assisting targeted online advertising;
- Social media cookies – allow users to share website activity on social media.
When using cookies, website operators need to provide users with certain information about what cookies are used and for what purpose, so that appropriate consents are obtained.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
PECR requires online service providers to give ‘clear and comprehensive information’ about cookies before they are placed, as well as obtain consent to such use (unless an exception applies).
Clear information is needed, eg via a banner or cookie overlay when a user first visits a website before the cookie is placed or before information stored in the user’s terminal equipment is collected. A user is then asked to click to agree to using cookies or to reject them; depending on the circumstances and the way the website is set up an option can be presented to manage cookie preferences.
Once consent is obtained, you do not need to get this every time a user accesses your website. However, if you change the cookies you use or what you do with the information, then you will need to provide fresh information and get new consent for that adjusted cookie/use.
Pre-ticked boxes are banned and silence and inactivity is not valid consent. Consent cannot be bundled into terms and conditions. Non-essential cookies need to have some controls around them and must not be placed on a landing page until the user has given their consent.
‘Exceptions’ to PECR and providing information or obtaining consent are when the cookie is: (i) placed for the sole purpose of transmitting a communication over an electronic communications network; or (ii) strictly necessary for the provision of an information society service requested by the user. ‘Strictly necessary’ is interpreted in a limited way and includes remembering actions (eg, shopping basket) and managing security tokens (eg, log-ins). However, the ICO’s guidance is that it is still good practice to provide users with information about these cookies, even if you are not required to get consent.
Draft ePrivacy Regulation (ePR)
PECR has been reviewed at EU level and there is a draft E-Privacy Regulation 2017; this is not yet adopted as law. The aim of the Draft ePR is to extend the scope of the regulations to all electronic communications service providers and provide for enhanced security and clarifying rules around metadata. Implementation of this will depend on Brexit and if it happens.
Where a cookie can be linked to other personal data, that information will amount to ‘personal data’, therefore the provider would also need to comply with the General Data Protection Regulations 2016 (GDPR) and Data Protection Act 2018 (DPA). For example, if you were using cookie data, and then you wanted to use that for tracking and profiling individuals for direct marketing purposes, behavioural advertising, etc., then you are likely to need consent as your lawful basis for processing personal data in this way. The ICO’s guidance is that where you collect cookie data
that includes personal data, then you should carry out a data protection impact assessment (to assess the processing activity) and consider whether you can anonymise the personal data instead, to avoid additional concerns under GDPR/DPA.
The ICO’s guidance continues to say that consent requires a clear positive action, not just a user continuing to use a website. Users should also be given the opportunity to enable or disable nonessential cookies and the website operator must make it easy for them to do this. Where special category data is collected or other more intrusive cookies are used (eg health details or tracking behaviour), then it is important to make sure that clear and specific consent is received for the use of such cookies.
What should I do now?
- Conduct an audit of the cookies you use and identify whether a cookie:
– is a first or third party; and
– is a persistent or session cookie.
- Review the purpose for using each cookie and whether it is a strictly necessary, functional performance, advertising or social media cookie.
- Identify if any personal data is being processed in relation to the cookie.
- Give clear notices about cookies used, including a banner to obtain consent (and where applicable, to manage preferences).
- Allow users to be able to disable cookies.
- Consider whether third-party cookies are used and whether the third-party relationship is governed by a suitable contract, including data processing clauses.
- Keep records of consents received.
- Consider what retention periods may be relevant for each cookie and include relevant information in your Cookies Policy.