Cookie Guidance – Data Protection Authorities publish update

Data Protection Authorities including the ICO and the Irish Data Protection Commission have recently released updated cookie guidance and CNIL, the French Data Protection Authority, have released updated guidelines, repealing their 2013 guidelines which suggested that a valid form of consent to cookies included the action of a user continuing to navigate a website – this is no longer a valid indication of consent under the updated guidelines.

CNIL have updated their guidelines to align with the European Data Protection Board (EDPB) guidelines on consent and have given stakeholders a 12-month transition period to comply with the changes.

Cookie compliance sits at the intersection of GDPR and ePrivacy in areas such as transparency and lawfulness of processing and it is important to bear in mind that when ‘cookies’ are referred to, the scope extends to other tracking mechanisms such as local storage, the practice of ‘fingerprinting’ based on device attributes, tracking pixels and similar technologies used to track and profile Internet users.

ICO Guidance

As well as issuing new cookie guidance, the ICO also published a blog post clarifying required practices for the use of cookies. Of note:

  • implied consent is not valid for use of cookies;
  • analytics cookies are not considered strictly necessary and so require consent;
  • cookie walls are unlikely to represent valid consent;
  • the lawful basis of legitimate interest cannot be relied on for non-essential cookies;

Context

The GDPR has a clear definition of consent, stating that it must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes. Since the revision of the ePrivacy Directive in 2009 requiring prior consent for cookies, it has often been referred to as the ‘Cookie Law’. In order to comply, many website publishers implemented cookie banners informing visitors of their use of cookies and in some cases providing control over the placement of those cookies.

Implementations of these mechanisms vary and, in many cases, do not meet requirements. There has been a lack of enforcement from data protection authorities for such approaches, leading some to express their frustration.

Real Time Bidding (RTB) is a related practice that facilitates the buying and selling of ads based on the sharing of the personal data of individuals gathered by cookies when they visit websites. It has been receiving greater attention of late as privacy activists have been campaigning for increased scrutiny of the process, highlighting its incompatibility with the GDPR. CNIL has made online targeted advertising a priority for 2019, driven both by the nature of complaints and the request by industry for clarity. Cookies and similar technologies are key to making real-time bidding possible.

With a revised ePrivacy Regulation expected in 2020/2021, Data Protection Authorities are pre-empting the final legislation and clarifying the threshold for transparency, consent and control.

What is Valid Cookie Consent?

The ICO guidance states that in respect of cookies:

  • the user must take a clear and positive action to give their consent to non-essential cookies – continuing to use your website does not constitute valid consent;
  • you must clearly inform users about what your cookies are and what they do before they consent to them being set;
  • if you use any third-party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information;
  • you cannot use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies;
  • you must provide users with controls over any non-essential cookies, and still allow users access to your website if they don’t consent to these cookies; and
  • you must ensure that any non-essential cookies are not placed on your landing page (and similarly that any non-essential scripts or other technologies do not run until the user has given their consent).

The ‘Strictly Necessary’ Exemption

Cookies that are necessary for the functioning of a website do not require consent, although this should be understood to have a narrow application. Analytics cookies, for example, would not be considered strictly necessary. However, cookies such as those that facilitate an e-commerce checkout process, aid in the security of the website or ensure its optimal performance could be considered as necessary.

Impact

Many websites have adopted cookie banners or similar methods that will not meet the standard laid out in these new guidelines. Website owners face both a technical and budgetary challenge in revising their consent mechanisms. There are many vendors in this space offering integrations to manage cookies as well as open source alternatives such as the tool used by CNIL to provide the cookie consent mechanism on their website.

The need to make it easier for individuals to manage cookie preferences may revive efforts such as the previously abandoned Do Not Track (DNT) standard led by the W3C. Any new effort to bring cookie consent mechanisms within the purview of the browser may benefit from offering more granular control than the initial DNT mechanism that provided for a blanket ‘do not track’ signal.

The impact for end-users of websites is a positive one and demonstrates that data protection authorities are developing a consistent approach to guidance on these technical issues.

Review Your Cookie Consent Mechanism

Taken in the context of the upcoming ePrivacy Regulation, a clear increase in enforcement activities by supervisory authorities in recent months and a statement that cookie compliance will be an increasing priority for regulators, website publishers would be well-advised to review how their current cookie consent mechanisms measure up against these new guidelines. Doing so not only facilitates compliant personal data processing but is also a visible measure of realising individuals’ fundamental rights, engendering trust in your website users and ultimately, your customers.

 

Trilateral’s advisors can support you in meeting your compliance needs. For more information visit Trilateral Data Protection Officer page and contact our team:

Alan Mac Kenna, Data Protection Technology Advisor at Trilateral Research

 



Risk Assessment Methodology Report

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.