10 Jan
2020

The cookie monster… how to stay the right side of the law

This article was first written by Debbie Venn, DMH Stallard – Partner (Commercial, IT/IP and Travel) for Travel Law Today issue eight, which can be download at abta.com/travellawtoday

Businesses generally use cookies (small text files) on their websites to place information on users’ devices (eg, smartphones, tablets, or other ‘terminal equipment’) to enable website functionality, recognition of users, or to track how users navigate their websites /apps and their preferences. 

Travel businesses will often use cookies to allow website users to view holidays and short-list travel services, place details in an online shopping basket and then book and pay for their holidays. They can also be used for targeted marketing and other activities.

What are cookies?

Cookies are often categorised as either ‘session cookies’ (stored for the browser session), ‘persistent cookies’ (stored between browsing sessions), ‘first-party cookies’ (placed by the website itself to track user journeys on the website), or ‘third-party cookies’ (planted by parties other than website operators, for the purposes of behavioural advertising or other use). Users are able to block first-party and third-party cookies.

Cookies are generally categorised as:

  • Strictly necessary cookies – required for the operation of a website;
  • Analytical or performance cookies – allow online providers to recognise and count visitors to their website and see how their website is used;
  • Functionality cookies – recognise users and enable personalisation of content;
  • Targeting cookies – detail pages of a website visited and links followed, assisting targeted online advertising;
  • Social media cookies – allow users to share website activity on social media.

When using cookies, website operators need to provide users with certain information about what cookies are used and for what purpose, so that appropriate consents are obtained.

Use of cookies and the law

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
PECR requires online service providers to give ‘clear and comprehensive information’ about cookies before they are placed, as well as obtain consent to such use (unless an exception applies). 

PECR applies whether or not personal data is processed. Therefore, ‘clear and comprehensive information’ must be provided to users with a visible notice about use of cookies. This must be provided by the person setting the cookie (depending on whether the website uses third-party cookies, and then the ICO guidance is to do this jointly).

Clear information is needed, eg via a banner or cookie overlay when a user first visits a website before the cookie is placed or before information stored in the user’s terminal equipment is collected. A user is then asked to click to agree to using cookies or to reject them; depending on the circumstances and the way the website is set up an option can be presented to manage cookie preferences.

Although not defined in PECR, the ‘consent’ standard is set by GDPR. ‘Consent’ must be ‘freely given, specific, informed and an unambiguous indication of the data subject’s wishes, by which he or she by a statement or a clear affirmative action signifies agreement’. A request for consent must also include the controller’s identity, details of the purposes of processing, what type of data is collected, existence of the right to withdraw consent, details of automated decision-making and transfers to non-adequate countries (if relevant). The key information can be set out in the banner, with the rest of the information being provided in a linked Cookie Policy.

Once consent is obtained, you do not need to get this every time a user accesses your website. However, if you change the cookies you use or what you do with the information, then you will need to provide fresh information and get new consent for that adjusted cookie/use.

Pre-ticked boxes are banned and silence and inactivity is not valid consent. Consent cannot be bundled into terms and conditions. Non-essential cookies need to have some controls around them and must not be placed on a landing page until the user has given their consent.

‘Exceptions’ to PECR and providing information or obtaining consent are when the cookie is: (i) placed for the sole purpose of transmitting a communication over an electronic communications network; or (ii) strictly necessary for the provision of an information society service requested by the user. ‘Strictly necessary’ is interpreted in a limited way and includes remembering actions (eg, shopping basket) and managing security tokens (eg, log-ins). However, the ICO’s guidance is that it is still good practice to provide users with information about these cookies, even if you are not required to get consent.

Draft ePrivacy Regulation (ePR)
PECR has been reviewed at EU level and there is a draft E-Privacy Regulation 2017; this is not yet adopted as law. The aim of the Draft ePR is to extend the scope of the regulations to all electronic communications service providers and provide for enhanced security and clarifying rules around metadata. Implementation of this will depend on Brexit and if it happens.

GDPR
Where a cookie can be linked to other personal data, that information will amount to ‘personal data’, therefore the provider would also need to comply with the General Data Protection Regulations 2016 (GDPR) and Data Protection Act 2018 (DPA). For example, if you were using cookie data, and then you wanted to use that for tracking and profiling individuals for direct marketing purposes, behavioural advertising, etc., then you are likely to need consent as your lawful basis for processing personal data in this way. The ICO’s guidance is that where you collect cookie data
that includes personal data, then you should carry out a data protection impact assessment (to assess the processing activity) and consider whether you can anonymise the personal data instead, to avoid additional concerns under GDPR/DPA.


ICO guidance

The ICO published updated guidance on cookies and similar technologies in June 2019. This includes guidance on when consent for use of cookies is required and what counts as consent. 

The ICO states that you cannot show consent if you only provide information about cookies as part of a privacy policy that is hard to access, therefore you should make sure that details about cookies are either in a separate Cookies Policy, or provided clearly in a relevant banner/web page. In addition, non-essential cookies cannot be set on a website homepage before the user consents to them.

The ICO’s guidance continues to say that consent requires a clear positive action, not just a user continuing to use a website. Users should also be given the opportunity to enable or disable nonessential cookies and the website operator must make it easy for them to do this. Where special category data is collected or other more intrusive cookies are used (eg health details or tracking behaviour), then it is important to make sure that clear and specific consent is received for the use of such cookies.

What should I do now?

  • Conduct an audit of the cookies you use and identify whether a cookie:
    – is a first or third party; and
    – is a persistent or session cookie.
  • Review the purpose for using each cookie and whether it is a strictly necessary, functional performance, advertising or social media cookie.
  • Identify if any personal data is being processed in relation to the cookie.
  • Give clear notices about cookies used, including a banner to obtain consent (and where applicable, to manage preferences).
  • Allow users to be able to disable cookies.
  • Consider whether third-party cookies are used and whether the third-party relationship is governed by a suitable contract, including data processing clauses.
  • Keep records of consents received.
  • Consider what retention periods may be relevant for each cookie and include relevant information in your Cookies Policy.
  • Create a separate cookies policy if this is already part of your privacy policy.
  • Keep your use of cookies under review.