Cookies, consent and social media plugins
It has been an eventful summer for the Information Commissioner’s Office, with headline fines and enforcement orders. One thing that may have slipped through the net for some website providers is the long-awaited update on cookies.
Cookies are small pieces of information employed by websites to track when a user visits their site. Providers use them to track browsing behaviour, user devices, user location, frequency of a user’s visits, and also to support shopping basket functions. Cookies can be “per session”, i.e. they are forgotten once you leave the site, or “persistent”, meaning they are stored on your device between sessions. Third-party cookies are set by a website or domain separate from the one being visited. These incorporate elements such as social media plugins, advertising or images.
The Privacy and Electronic Communications Regulations 2003 (“PECR”) govern the application of cookies, device fingerprinting and tracking technologies (whether or not personal data are being processed). They require website providers to tell users about cookies and give them the choice whether their information is stored in this way.
What has changed?
In reality, not much has changed; rather the interpretation has been clarified. PECR always required consent for non-essential cookies (i.e. not for the purpose of transmission of a communication, or being strictly necessary). Prior to GDPR coming into force, the criteria for consent were unclear, and a soft opt-in, or implied consent was deemed acceptable. With GDPR in force, PECR engages its criteria for consent, therefore implied consent is no longer acceptable. This means that blanket forms of consent, such as “By continuing to use this website, you consent to the use of cookies”, are no longer valid.
To recap, under GDPR, consent must be: informed; a clear affirmative action; granular; unbundled; and capable of being withdrawn. Website providers that employ non-essential cookies are also required to demonstrate that consent has been given.
The ICO’s recent guidance reinforces this, while clarifying that where you need consent to set non-essential cookies, your legal basis under GDPR will also be consent. Put another way, if you are relying on consent, you can no longer rely on any other legal basis to continue to employ non-essential cookies (and similar tracking technologies).
The ICO has a narrow interpretation of what constitutes “strictly necessary” cookies.
For example:
- cookies employed for security purposes (such as online banking) would be deemed strictly necessary, but not those of third parties;
- anayltics and advertising cookies are not strictly necessary;
- authentication cookies may be essential,
- but login or persistent cookies are not;
- cookies employed for streaming content could be deemed as strictly necessary, but not if they relate to personalisation or monitoring purposes.
- In relation to non-essential cookies and similar technologies, in order to ensure compliance with the ICO’s recommendations website providers must:
- clearly inform users that cookies are being employed, and what they do;
- identify and clearly explain third party cookies, giving an option to reject these;
- ensure that no “on” sliders and pre-ticked boxes are permitted;
- provider users with easy-to-use controls;
- ensure that no non-essential cookies and technologies are employed on the website landing page;
- allow access to their websites, even if users don’t consent to the use of non-essential cookies; and
- avoid using pop-up consent boxes, or “agree” or “accept all” buttons over “reject all”, since the ICO has advised that these are unlikely to constitute valid consent, and sway users to accepting cookies.
Social media plugins
In the days of ever increasing dependence on social media, especially for brand awareness, the case of Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Case C40/17), 29 July 2019 is particularly pertinent for website providers. It related to a German fashion online retailer which featured a Facebook “Like” button on its website. This resulted in users’ personal data being shared with Facebook Ireland without them being notified or aware of it, and regardless of whether they were members of Facebook, or had clicked the button.
The EU Court of Justice held that the website provider and third party (in this case Facebook) were joint controllers in relation to the collection, processing and transmission of the personal data collected from users. This meant that both provider and third party had to provide users at the time of collection with information on how their personal data would be processed.
Where processing is based on consent, both website provider and third party must obtain consent prior to the collection of the data. If processing is based on a legitimate interest, that interest must justify the transmission of the personal data. This decision will have a rippling effect, not just on social media plugins but also for embedded content such as maps and videos.
It is hoped that with GDPR now in force for over a year, clarity on this subject will continue to evolve. The ePrivacy Regulation that will replace the ePrivacy Directive is still being discussed and is unlikely to be finalised before 2020.