On 3 July 2019, the UK Data Protection Authority, the Information Commissioner, published new guidance on the use of cookies together with a 'myth-busting' blog post. The new guidance follows the Information Commissioner's June report into ad-tech and real time bidding, which raised substantial compliance challenges in relation to cookies (see our article from last month for more on this).
Key points from the new cookie guidance are summarised below.
For more information, join our webinar on 9 July 2019, where we will discuss the new guidance, upcoming changes and what organisations can do now.
1. Implied consent is "no longer acceptable"
The GDPR standard of consent applies in relation to consent required under PECR in relation to cookies.
The blog post states that because the higher standard of consent means that implied consent would not constitute valid consent "whether it’s for cookies, or for processing personal data". The new cookie guidance does not specifically discuss implied consent; rather it provides the GDPR definition of consent and explains that "the user must take a clear and positive action to give their consent to non-essential cookies".
The statement in the blog post does not quite line up with statements made by the Information Commissioner in its consent guidance:
"The idea of an affirmative act does still leave room for implied methods of consent in some circumstances, particularly in more informal offline situations. The key issue is that there must still be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose. However, this type of implied method of indicating consent would not extend beyond what was obvious and necessary".
2. The approach to cookie consent in practice
The new guidance highlights the following:
(i) continuing to use an organisation's website does not constitute valid consent – in particular, the Information Commissioner is of the view that a user going "straight through to another part of your site" rather than engaging with a cookie pop-up, banner or splash page would not be valid consent because "users who fail to engage with the consent box cannot be said to consent to the setting of these cookies";
(ii) emphasizing the ‘agree’ or ‘allow’ cookie options over the ‘reject’ or ‘block’ cookie options represents a non-compliant approach, as the online service is influencing users towards the ‘accept’ option";
(iii) a consent mechanism that doesn’t allow a user to make a choice would also be non- compliant, even where the controls are located in a ‘more information’ section;
(iv) if an organisation uses any third party cookies, it must clearly and specifically name who the third parties are and explain what they will do with the information (this is consistent with the Information Commissioner's consent guidance which states that organisations should name all any third party controllers who will rely on the consent);
(v) organisations cannot use any pre-ticked boxes (or equivalents such as ‘on’ sliders) for non-essential cookies; and
(vi) organisations must ensure that any non-essential cookies are not placed on website landing pages (and similarly that any non-essential scripts or other technologies do not run) until the user has given their consent.
3. Look at PECR rules first before moving onto the GDPR's lawful basis requirement
The new guidance explains that organisations should look at PECR first in relation to cookies and ensure they comply with its consent requirements, before considering any of the general rules in the GDPR.
The new guidance states that if you have obtained consent in compliance with PECR, then in practice consent is also the most appropriate lawful basis under the GDPR. The Information Commissioner reasons that "[t]rying to apply another lawful basis such as legitimate interests when you already have GDPR-compliant consent would be an entirely unnecessary exercise, and would cause confusion for your users".
The new guidance encourages relying on consent under GDPR where cookies are involved, but it does not entirely preclude organisations relying on another lawful basis.
Organisations may have good reasons for seeking a different lawful basis for processing under GDPR – in particular, when placing cookies on a site/app used by under 13s, an organisation will be minded to avoid consent as a lawful basis of processing under GDPR where possible because of the added compliance burden. Article 8 of the GDPR provides that if an online service is provided to a child (in the UK, under 13) where the lawful basis to process personal data is consent, that such consent must be given by the person with parental authority for the child. This is one of the issues arising from the Information Commissioner's updated report on real time bidding where she concluded that the lawful basis for both the placing of the cookie or similar technologies and also for processing of the bid request should be consent.
4. It is possible to rely on an alternative lawful [BASIS] for processing of personal data under GDPR following the setting of a cookie…
The new guidance acknowledges that it may be possible to rely on a lawful basis other than consent for subsequent processing beyond the setting of any cookies.
5. …though in certain subsequent processing scenarios, consent would be required under GDPR
(i) Analysing or predicting preferences or behavior
The Information Commissioner is of the view that analysing or predicting the personal preferences, behaviour and attitudes of individual users, with this subsequently informing measures or decisions taken about them, would require consent under GDPR.
(ii) Tracking and profiling for direct marketing and advertising
The Information Commissioner is of the view that the legitimate interests lawful basis is not appropriate for the processing of personal data in connection with profiling and targeted advertising. Without the legitimate interests lawful basis, consent would be the only other option.
The guidance cites the EDPB's ‘Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR’ and the Article 29 Working Party's 'Opinion 3/2013 on purpose limitation' and 'Opinion 6/2014 on the notion of legitimate interests' in support of these views.
6. Full 'cookie walls' are unlikely to be compliant
According to the guidance, a full cookie wall – i.e. requiring users to ‘agree’ or ‘accept’ the setting of cookies before they can access an online service’s content – is unlikely to represent valid consent on the basis that GDPR requires that consent be "freely given".
The Information Commissioner acknowledges that partial cookie walls that restrict access to certain content that requires the use of cookies could be valid. The blog post notes that there are "some differing opinions as well as practical considerations around the use of partial cookie walls" and that the Information Commissioner's Office will be seeking further submissions and opinions on this point from interested parties.
The guidance references the rights to freedom of expression and to run a business in its discussion of cookie walls. This suggests that the Information Commissioner is aware that free content - especially that provided by the media - is ad-supported and that banning cookie walls and making ad-related cookies optional will be problematic for many businesses, a point that also hinted at in the recent real time bidding report.
7. Analytics cookies are not exempt (though first party analytics cookies are unlikely to be a regulatory priority)
The new guidance stresses that analytics cookies are not exempt from the consent requirement. They do not fall into the "strictly necessary" exemption.
Though the Information Commissioner states that it is "unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals" and first party analytics cookies are given as an example of cookies that are potentially low risk.