What law applies here?
GDPR and the Data Protection Act 2018 will apply where personal data is being processed. GDPR expressly states that IP addresses and other online identifiers may be personal data. For more on GDPR, visit our GDPR Hub.
PECR sits alongside GDPR. The EDPB has published a helpful guide (PDF) on the interaction between PECR and GDPR.
There are a couple of points to note:
- If personal data is being processed, then GDPR is engaged
- If consent is required under PECR then the EDPB’s view is that the controller cannot rely on another legal basis under GDPR for the same processing activity (and, potentially, certain subsequent processing activities).
The European Commission has proposed replacing the ePrivacy Directive with a new ePrivacy Regulation, which would have direct effect in member states. The draft text is still being discussed by the various EU institutions, and is unlikely that the text will be finalised before 2020.
The guidance provides a reminder on the key issues:
- The rules in PECR apply to all cookies other than those that are “strictly necessary” or used solely for carrying out the transmission of a communication;
- “Strictly necessary” is interpreted narrowly. For example a cookie necessary to enable the operation of an online shopping cart is necessary, but advertising cookies are not;
- Individuals must be provided with clear and user friendly information on how cookies will be used and the purpose for which they will be used;
- Users or subscribers must give consent prior to cookies being placed or used;
- When requesting consent, users must have a genuine choice and be provided with sufficient and specific information to make an informed decision;
- A failure to engage with a cookie request (for example, continuing to browse) cannot be used to infer consent;
- Acceptance of cookies as a condition for accessing a site (or part of a site) will only be lawful in limited situations. The ICO’s view is that acceptance of online advertising cookies is not a legitimate purpose.
The obligation to obtain consent also applies to third party cookies. In order to obtain valid consent, website operators will need to be able to provide clear and transparent information about those cookies.
While pop-up cookie consent tools are now common place on websites, many of these are configured in a way that they are unlikely to provide valid consent. Common issues include pre-ticking consent boxes and not providing sufficient detail when presenting the user with an “accept all” or similar button.
What about analytics cookies?
The ICO’s view is that analytics cookies do not fall within the scope of “strictly necessary” cookies.
In contrast, new cookies guidance from the Irish Data Protection Commissioner (PDF) is silent on analytics cookies. It is also notable that Article 8 of the draft ePrivacy Regulation expressly states that first party cookies used for “web audience monitoring” and “statistical counting” do not require consent. The latest draft from the Council clarifies that this would include measurement carried out by a third party on behalf of the website operator.
For the time being, however, UK guidance requires website operators to seek prior consent for analytics cookies. Whether the ICO will actively enforce this part of its guidance or whether the courts will agree, remains to be seen.
Third party plug-ins
The use of third party plug-ins (such as social media sharing widgets), where personal data is shared with a third party, can raise additional issues.
The Court of Justice of the European Union this week held that for the purposes of data protection law, the operator of the website is a joint controller with the third party in relation to the collection and disclosure of that personal data.
This means website operators are responsible for:
- providing, at the point of collection, information in relation to that processing;
- where processing is being carried out on the basis of consent, obtaining valid consent; and
- where processing is necessary for the purposes of a legitimate interest, ensuring that the operator has a legitimate interest that justifies the collection and transmission of that personal data.
The case before the CJEU considered the inclusion of a Facebook “like” button on a website. The button operated such that information about the user was automatically shared with Facebook, whether or not the user was a member of Facebook. While the case considered social media sharing widgets, similar issues arise in relation to other embedded content such as maps and videos.
Taken together with the ICO’s revised guidance on cookies, it is essential that organisations properly audit their use of tracking technologies, third party plug-ins and embedded content to understand what technologies are being used and what information is being shared.
This review should cover not just websites and cookie tools, but also apps and the use of tracking technologies in emails.
Once that audit has been completed, organisations should review how:
- valid consent is obtained; and
- cookies are deployed (ensuring that non-necessary cookies are not set before consent has been obtained);