The interaction between the General Data Protection Regulation (2016/679) (“GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (“PECR”) has been vexing for some time now.

As a possible sign that supervisory authorities have lost patience waiting for the EU legislature to reform the ePrivacy Directive (Directive 2002/58/EC) on which PECR is based, the UK Information Commissioner’s Office (the “ICO”) released updated guidance on the use of cookies and similar technologies (the “Guidance”) on 3 July 2019. The Guidance provides the first in-depth insight into what the ICO expects from website owners in order for their cookie usage to comply with the GDPR/PECR framework. The Guidance comes just weeks after the ICO published an update report into adtech and real time bidding (the “Adtech Report”), the ICO’s progress report on a regulatory priority sector which is also powered by cookies.

One central message from these documents is that any notion of a regulatory enforcement amnesty pending the arrival of a new EU ePrivacy Regulation should be discounted - cookies are being singled out as “an increasing regulatory priority”. The ICO has been looking for some time at long-established internet practices through the prism of the ungainly GDPR/PECR combination, has started to engage with stakeholders and does not like what has come to light. In the Guidance, the picture is challenging although there are a few areas where comfort can be drawn, e.g. less intrusive analytics cookies are not top of the list of enforcement priorities. In the Adtech Report, the ICO’s two prioritised areas of concern are (1) the processing of special category personal data without explicit consent and (2) the complexity of the data supply chain. The regulator appears to be firing a “shot across the bows” noting that, while the information gathering continues, the ICO expects data controllers in the adtech industry to re-evaluate their approach to privacy notices, the use of personal data and the lawful grounds being relied upon under GDPR.

Which law applies to cookies: PECR or the GDPR?

Potentially, both apply. PECR provides specific rules which organisations must follow when deploying cookies or similar technologies on “terminal equipment” like PCs or smart phones. When the ICO refers to “cookies”, it is also referring to local shared objects, “device fingerprinting” techniques, pixels, etc. The GDPR, of course, governs the processing of “personal data”. Cookies will often (but not inevitably) involve the processing of personal data e.g. user authentication cookies which allow an individual to log on to their account at an online service. When PECR applies it takes priority over the GDPR (and the UK Data Protection Act 2018) and the ICO says that PECR should be considered first.

It was originally intended that a GDPR-era replacement for PECR would have been finalised at the EU level and applicable from the 25th of May 2018. The ePrivacy Regulation appears to have lost momentum, however, and significant compliance challenges come from the requirement to “retrofit” GDPR-standard requirements to PECR, e.g. “consent” for a non-essential cookie under PECR now has to be GDPR-standard consent. Similarly the “clear and comprehensive information” PECR requirements now mean “fair processing information” requirements from Articles 13-14 of the GDPR.

What do I need to know about cookies?

PECR states, in summary, that consent must be obtained for the storing of cookies unless those cookies are “strictly necessary” to provide a requested service, or are required to allow “communication” between two parties over a network. The Guidance makes clear that in the ICO’s view:

  • Implied consent is not a valid legal basis for the use of cookies. The GDPR’s definition of consent has raised the bar, meaning that current mechanisms like banners which purport to collect consent if an individual continues to use a website will not be valid. In addition, the ICO’s view is that it will not be possible, in most situations, to rely on a user’s browser settings in order to demonstrate consent to the use of cookies.
  • Cookies may be “strictly necessary” if they are required to comply with other legislation, such as the GDPR. This may be a welcome clarification for organisations which use cookies for security and fraud prevention purposes, for example. Whether a cookie is “strictly necessary” must be considered from the position of the website user, however, and not the organisation making the website available. Analytics cookies cannot be considered “strictly necessary” and therefore require consent.
  • Where personal data are processed as a result of the use of cookies, it may be possible for the purposes of the GDPR to rely on a legal basis other than consent. This will vary on a case-by-case basis, however, and will need to be considered carefully.
  • Organisations must provide “clear and comprehensive” information about how they use cookies, to the same extent as if you are processing personal data under the GDPR. This will require many organisations to make substantial amendments to their cookie policies, and any cookie banners that are currently in place.

What should we be doing now?

In the blogCookies: what does ‘good’ look like?” the ICO’s Head of Technology Policy notes that for many organisations “more work will have to be done” to comply. The Guidance notes that - while regulatory action is always a possibility - it is unlikely that the ICO would consider cookies with a low level of intrusiveness as a priority, e.g. first party cookies used for analytics purposes, or those which support the accessibility of sites and services. What seems clear is that waiting for the EU ePrivacy Regulation before reviewing your website’s cookie compliance post-GDPR could be a risky proposition. Organisations should therefore consider:

  • Auditing your cookies to confirm which are being deployed across your websites, apps and other platforms.
  • Reviewing contracts with third parties which place their cookies on your platforms.
  • Reviewing and updating relevant cookie policies and consent collection mechanisms to reflect the combined requirements of PECR and the GDPR.
  • Considering whether adequate records are kept, where necessary, to meet the requirements of PECR and the GDPR. Consent records are particularly relevant here.

The ICO’s report on adtech and real time bidding

Of all the sectors to be affected by the GDPR, adtech has perhaps been one of the hardest hit. The confusing interplay between PECR and the GDPR is disproportionately problematic for a sector which depends so heavily on cookies. It has also been singled out by the ICO as a regulatory priority area and the subject of a number of complaints to the ICO made by privacy advocacy groups.

Broadly speaking, “adtech” refers to tools that analyse and manage information for online advertising campaigns, and automate the processing of advertising transactions, e.g. the buying and selling of advertising inventory on a website. It has been clear for some time that the ICO has had the adtech industry firmly within its sights. The Adtech Report is a progress report; it is not guidance, although it indicates that the regulator does “not think these issues will be addressed without intervention”.

The Adtech Report focusses on so-called “real time bidding” (“RTB”), an auction process that is primarily used to sell visual advertising inventory on websites and apps (though it can also be used for other media such as audio and visual streaming). This “real time” auction occurs in a fraction of a second – in the time it takes for a website to load in a user’s browser. Publishers make space available on their platforms, ultimately to be filled by content from advertisers as a result of a successful bid on a per individual viewer basis. The process relies on publishers creating “bid requests”, as well as a series of intermediaries such as Data Management Platforms (DMPs) which may be involved in enriching the data about the potential viewer and tagging it with information known or inferred about that person, making the bid request more valuable. Adtech relies heavily on cookies and similar technologies to collect the data (including personal data) of the page visitor, which is then incorporated into the bid request before it is put out for auction.

The ICO makes clear that it has chosen to investigate the RTB ecosystem because of its complexity and scale, alongside the risks that it poses to the rights and freedoms of individuals. The Adtech Report highlights:

  • GDPR Lawful Basis: There is a lack of clarity within the industry as to the situations in which the GDPR’s lawful bases apply. In particular, the ICO notes the misconception that legitimate interests can be relied upon to place cookies; as noted above, consent is required under PECR in order for most cookies to be placed on a device. Where personal data are also processed, a lawful basis for processing under the GDPR must also be identified. The ICO’s view is that if consent is required to place a cookie, “then in practice consent is the appropriate lawful basis under the GDPR”. This will remain a point of contention within the industry, and even amongst other data protection authorities, who consider that the more flexible “legitimate interests” basis may be relied upon in some circumstances.
  • Special Category Personal Data: The RTB ecosystem uses a number of alternative protocols. Two of the most common include data fields relating to politics, religion, mental and physical health – all of which are “special category personal data” for the purposes of the GDPR. This data is subject to stricter controls on processing, such as the need for the individual’s “explicit consent” (an affirmation by the data subject of a clear statement written in words). Current consent management frameworks operated by the main RTB protocols are, in the view of the ICO, not sufficient to comply with these requirements.
  • Lack of Transparency: Information provided to individuals about RTB processing often lacks clarity and fails to explain fully how personal data is processed. Organisations are therefore at risk of breaching the GDPR’s transparency obligations. This also causes difficulties in obtaining a valid consent to data sharing.
  • Lack of Understanding of Legal Framework: It is unclear that organisations participating in RTB frameworks properly understand how the frameworks operate and how personal data processing occurs. Those that cannot document and demonstrate their understanding of RTB processing (and the associated legal rights of end users) risk breaching the accountability principle under the GDPR, and falling below PECR requirements, too.
  • Data Protection Impact Assessments (“DPIAs”): RTB will often trigger the requirement for a DPIA to be conducted, on the basis of ICO-defined high risk activities, such as (i) profiling individuals on a large scale or (ii) “invisible processing” where personal data has not been collected directly from individuals and organisations consider that it would involve a disproportionate effort to provide transparency information to individuals (and so avoid doing so). The ICO has seen no evidence to date that organisations are aware of, or are meeting, the potential DPIA requirement.

What do we do if we are involved in online advertising?

The Adtech Report will have implications for all participants in the adtech system, from website owners (publishers) to exchange providers, and ultimately to advertisers. Apart from publishers carrying out a cookie audit, organisations involved in adtech should now look to understand:

  • The extent to which they are processing personal data, and who they ultimately pass this data to.
  • What may be required of them under standard-form contracts that are put in place by other players in the industry, particularly in relation to gathering end-user consent.
  • Any high-risk processing activities that they carry out, which may require a DPIA to be carried out.

Away from PECR and the GDPR, organisations active in the adtech industry are facing scrutiny under competition law. In fact, the Competition and Markets Authority (“CMA”) announced on 3 July that it has launched a market study into digital advertising and “broad potential sources of harm to consumers” from online platforms. The CMA has stated that this will include a review of the way that organisations collect and use personal data. The ICO and the CMA have in place a memorandum of understanding setting out the procedure for cooperation between the two authorities, so it will be interesting to see the extent to which any action taken is coordinated.

A regulator’s role is of course to enforce the law as it is, rather than the law as it was supposed to be enacted or as it might one day become and undoubtedly, the situation caused by the delayed EU legislative reforms is not of any regulator’s making. Finding ourselves on the cusp of the 5G era, with all the associated potential for the Internet of Things, whilst accompanied by a dysfunctional regulatory framework is less than ideal. Expecting compliance with the historic ePrivacy regime alongside the GDPR feels rather like swapping your horse for a car and still expecting it to run on hay.