- What are cookies?
- Cookies and the GDPR
- The GDPR and PECR
- Consent for Cookies
- What does consent look like in practice?
- When is a cookie not a cookie?
- Enforcement of the Cookie Law
- The e-Privacy Regulation
- What about Brexit?
What are cookies?
The proper definition of a cookie as we use it in websites and marketing and emails is it’s a small text file created by a website, stored either temporarily or permanently, and it provides a way for a website to recognize and keep track of your preferences, which all sounds pretty straightforward. And of course, everybody’s used to getting cookie notices, and information about cookies when they visit websites. This is actually an example of a cookie from Amazon: session-id-time 954242000 amazon.com/ session-id 002-4135256-7625846 amazon.com/ x-main eKQIfwnxuF7qtmX52x6VWAXh@Ih6Uo5H amazon.com/ ubid-main 077-9263437-9645324 amazon.com/ It stores quite a lot of information about it, there’s a personal code in there, a session ID, and some other stuff.Cookies and GDPR
So when we’re thinking about cookies, your natural inclination is to think about GDPR, the General Data Protection Regulation, which relates to all personal data. But the GDPR doesn’t say anything particular about cookies. GDPR just focuses on personal data. So you have to ask yourself “Is a cookie a piece of personal data?”, and if it can identify an individual, then it is going to be classified as personal data. In almost all cases, I think cookies could be described as personal data, they all come back to having some sort of identifier in there that focuses on an individual, whether it’s an IP address, or something else. So you are going to have to take GDPR into consideration. And then the first thing that you have to think about in that instance, is that you have to decide what legal ground is best for processing that little piece of personal data. And of course, with most things when it comes to GDPR, or when it comes to marketing and GDPR, the two legal grounds that you have to choose from are Consent and Legitimate Interest.GDPR and PECR
GDPR has a place, but the primary piece of legislation to think about with cookies is PECR. PECR stands for the Privacy and Electronic Communications Regulations. And it’s the UK implementation of the e-Privacy directive from 2003. It doesn’t specifically mention cookies, just like GDPR, but it describes the sort of things that cookies do. And it covers not just cookies, but things that work a little bit like cookies, okay, so anything that you might describe as a beacon or a tag, or even device fingerprinting, or anything like that would come under the heading of cookies and similar technologies as it has come to be described. And the PECR legislation applies when anybody stores information on a user’s device, or gains access to information on a user’s device. So the classic use of a cookie is when you go to a website, the website puts a cookie on the user’s browser, so that it can recognize that person when they come back. So obviously, by putting a piece of information there, and then reading it when that person returns to the website, that is exactly what PECR is talking about there when it’s talking about reading or placing information on a person’s device. And PECR says you have to have consent. And the level of consent required is the level of consent that is described in GDPR. SO, that means it has to be specific, it has to be in the form of a positive action and it has to be unambiguous, so you have to describe the kind of thing that the cookie does. How it will be stored, and if it’s going to be shared with anybody and other information as well. But really, you have to consider the fact that people might not really understand cookies, and explain to them exactly what’s going on.Consent for Cookies
Now, I said that you need consent. And you do need consent for pretty much all cookies except those that are strictly necessary. And when the legislation describes “strictly necessary”, it’s quite a narrow definition. So if your cookie is there for the purposes of aiding the transmission of information or for some sort of security purposes, or if it’s for a service that a person has specifically requested, then you don’t need to get that sort of opt-in level of consent. But for anything else you do, and that covers pretty much everything that we do with cookies. So, whether it’s recognizing somebody when they come back, saving their preferences, personalizing the website, or even something as benign as analytics, all cookies of that kind are going to require consent. And it’s a GDPR level of consent; you have to explain what the cookie does, how long it will be stored, how it will be used and shared. Analytics is not described as strictly necessary. It’s obviously a very beneficial thing. But your website would work without that analytics cookie, and therefore, it’s not strictly necessary.What does Consent look like in practice?









When is a cookie not a cookie?
Now, it was just a week or so ago, this article came up on the BBC website about “spy pixels” in emails.
Enforcement of the Cookie Law
When it comes to enforcement about cookies, and this kind of thing, it’s different across Europe. Whereas GDPR tried to harmonize data protection across Europe and every country in the EU is supposed to be using the legislation in the same way, the e-Privacy directive from which PECR came was implemented separately by each European country. So they’re all slightly different in each location. So what we see at the moment is that the CNIL, who are the equivalent of the ICO in France, have made some enforcement cases against companies for their use of cookies. But in the UK, that’s not the case. The ICO, the Information Commissioner’s Office, who enforce against both GDPR and PECR, consider cookies, pretty much a low priority, and there’s a few reasons for that. It’s difficult to demonstrate that somebody having a cookie placed on their browser or a pixel in an email is causing a lot of damage or distress to an individual. And unfortunately, with the PECR legislation, the regulator does have to go to quite some lengths to prove that that was going on in order to make an enforceable case. Now, they published some guidance, around June 2019, to try and refresh people’s memories about cookies, because I think with the implementation of GDPR, people have forgotten about all other kinds of legislation. And their cookie guidance was met initially with some horror from the industry, because it was really laying down the law about how you have to get consent for all kinds of cookies or similar technologies. However, it did include this paragraph, which is right at the end of the document, which is just a little bit of reassurance for marketers who don’t really have any other way to measure their audiences, or find out what’s exactly happening to their emails when they’re sent.
