November saw a ramping up of regulator action on cookies, once again showing that cookie compliance is not something to take lightly, particularly when using cookies for more than purely functional purposes, such as advertising or analytics.
New EDPB ePrivacy Directive Guidelines
As well as the EDPB issuing a decision which imposed a EEA-wide ban on Meta processing personal data for behavioural advertising which calls into question the adtech model (for more information see our article here), the EDPB also published for consultation new draft guidelines1 ("Guidelines") on the ePrivacy Directive ("Directive"), which could potentially extend the legislation's application to emerging technologies.
Whilst arguable that the wording of Article 5(3) of the Directive, referring to "electronic communications networks", defined by Article 2 of the Framework Directive2 as being:
"transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed"
is already broad enough to capture new technologies, the Guidelines look to remove any ambiguity of Article 5(3) as to its application in the face of the ever changing technological landscape.
The Guidelines, as well as setting a non-exhaustive list of specific technologies that Article 5(3) should be applied to, it also set out four key criteria that if met by a technology, will bring it in scope of Article 5(3). These criteria are:
- CRITERION A: the operations carried out relate to ‘information’. It should be noted that the term used is not ’personal data’, but ‘information’.
- CRITERION B: the operations carried out involve a ‘terminal equipment’ of a subscriber or user.
- CRITERION C: the operations carried out are made in the context of the ‘provision of publicly available electronic communications services in public communications networks’.
- CRITERION D: the operations carried out indeed constitute a ‘gaining of access’ or ‘storage’. Those two notions can be studied independently, as reminded in WP29 Opinion 9/2014: ‘Use of the words “stored or accessed” indicates that the storage and access do not need to occur within the same communication and do not need to be performed by the same party.
Whilst it remains to be seen whether reference to technology "gaining access" adequately captures the functionality of new technologies and adds anything to the current position, it is clear that the EDPB is keen to set out its expectation that new technologies should be complying with the consent requirements even if they don't fit within the typical cookie model.
The consultation on the Guidelines closes on 28 December 2023.
ICO taking action on non-compliant cookies
Under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) organisations are required to gain the consent of users to the placement of any non-necessary cookies (which include analytics and advertising cookies), prior to the cookies being placed on the user's device. The standard of consent is derived from the UK GDPR, which asserts that consent must be “freely given, specific, informed and unambiguous…”
The ICO Guide to PECR sets out what must / must not be done to ensure that cookie consent banners comply with the law. It is also important to note that "nudges", such as pre-ticked consent boxes or only providing an "Accept All" option without an equally easy way to "Reject All", are expressly banned. This is to ensure that users are given fair choices over whether to be tracked or not for personalised advertising.
This is not the first time that the ICO has issued a similar warning, and it has now started to take proactive action by writing to many of the UK's most visited websites cautioning them to "make the changes now, or face the consequences". The ICO has given a 30 day deadline to ensure that websites comply with the law, and has promised to provide an update on the action it has taken in January 2024, including "naming and shaming" the worst offenders.
The ICO's power to fine and cause reputational damage is not the only threat to companies who have non-compliant websites. Regulation 30(1) PECR entitles a person who has suffered damage as a result of a contravention of PECR to claim compensation for that damage.
The ICO has provided examples of when harm can be suffered by users: "Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation."
DAC Beachcroft has handled numerous compensation claims brought by individuals alleging that they have suffered harm as a result of cookies being placed on their device, without their consent. However, importantly, there is no entitlement for compensation for simply a technical breach of PECR / UK GDPR, any claimant must provide evidence of the material damage that they have suffered as a result of the breach, and that damage must exceed the "de minimis".
However, clearly the risk of getting cookies wrong in the UK is something that organisations should have high on their agenda.