Cookies and consent: how to avoid half-baked compliance
Happy National Cookie Day! While you take a break to channel your inner Cookie Monster, our new Data Privacy specialist: Lucas Atkin, reminds us of the rules and risks associated with something less delicious but no less important: website cookies.
What are website cookies?
Small files placed on your computer or mobile device by websites you visit. They record information about your use of that website and send it back to the operator. The information is valuable, for example recognising your device to allow automatic log-in, allowing quick access to your preferred content or letting operators analyse popular content.
Remind us: what are the rules if we want to use website cookies?
The information collected often contains personal data, so data privacy law applies. To recap, the EU E-Privacy Directive (“EPD”), which Member States must implement via domestic law (the Privacy and Electronic Communications Regulations in the UK), prohibits dropping cookies on users’ devices unless they provide consent (or, in rare circumstances, the cookie is strictly necessary to that website’s function).
However, many organisations still use implied consent models. We suspect this is because:
-cookie compliance was not on supervisory authorities’ radars (perhaps because they have been waiting for the E-Privacy Regulation (“EPR”), which will replace the EPD, to come into effect); and
-some organisations are taking a “wait and see” approach on the basis that they are unlikely to be the first organisation punished for breaching cookie rules (fearing that compliance will negatively impact website traffic and service use).
What has changed?
Perhaps due to continued delay of the EPR (the latest draft was again rejected by the Council of the European Union last month, meaning the EPR is unlikely to take effect before 2021), data privacy authorities have recently been publicly adopting a tougher stance on cookie compliance. In the UK, earlier this year the ICO published new guidance which made clear that implied consent is no longer acceptable: “the user must take a clear and positive action to give their consent to non-essential cookies… continuing to use an organisation’s website does not constitute valid consent”. Similar guidance has been issued by the French supervisory authority, CNIL , while the Spanish supervisory authority, AEPD, fined airline Vueling €30,000 in October for non-compliance with cookie rules.
This has been replicated at judicial level. In an October judgment, the Court of Justice of the European Union held that prechecked boxes do not achieve valid consent and that consent collection must be specific to cookies on your website (i.e. it is not sufficient to argue that someone accepts cookies when they take an action, for example, watch a video or visit a page, which necessarily involves deployment of cookies).
In short, continued use of implied consent models has become riskier, and supervisory authorities are actively targeting cookie compliance.
What should we do?
If not done already, we recommend conducting an internal audit to identify which cookies you use and why, before drafting or amending your cookie notice and accompanying consent collection statement accordingly. The statement should satisfy the GDPR’s requirements for valid consent, while a well-drafted cookie notice should:
-Identify the website operator;
-Identify the cookies used (first and third party);
-Explain what each cookie does and why you use them;
-Identify their duration;
-Explain that users can choose whether to accept them or not (ideally not on a blanket accept / reject all basis); and
-Provide technical guidance on how to reject or disable them.
Consider also practical requirements, such as providing a user-friendly version of the website which does not deploy all/some cookies.
If you would like any help, please do not hesitate to contact Lucas Atkin, Senior Associate, Data PrivacyBack to Our Thinking →