Cookie law has seen a lot of changes recently, although some people would argue that they’re not really changes, just tightening up the rules slowly. So we asked John Mitchison, Director of Policy and Compliance at the DMA, to explain the legal side of things. As well as the blunt facts of what the law says, John shares some examples of how you can work with the law to get the best practice out of it.  
  1. What are cookies?
  2. Cookies and the GDPR
  3. The GDPR and PECR
  4. Consent for Cookies
  5. What does consent look like in practice?
  6. When is a cookie not a cookie?
  7. Enforcement of the Cookie Law
  8. The e-Privacy Regulation
  9. What about Brexit?
 

What are cookies?

The proper definition of a cookie as we use it in websites and marketing and emails is it’s a small text file created by a website, stored either temporarily or permanently, and it provides a way for a website to recognize and keep track of your preferences, which all sounds pretty straightforward. And of course, everybody’s used to getting cookie notices, and information about cookies when they visit websites. This is actually an example of a cookie from Amazon:   session-id-time 954242000 amazon.com/ session-id 002-4135256-7625846 amazon.com/ x-main eKQIfwnxuF7qtmX52x6VWAXh@Ih6Uo5H amazon.com/ ubid-main 077-9263437-9645324 amazon.com/ It stores quite a lot of information about it, there’s a personal code in there, a session ID, and some other stuff.  

Cookies and GDPR

So when we’re thinking about cookies, your natural inclination is to think about GDPR, the General Data Protection Regulation, which relates to all personal data. But the GDPR doesn’t say anything particular about cookies. GDPR just focuses on personal data. So you have to ask yourself “Is a cookie a piece of personal data?”, and if it can identify an individual, then it is going to be classified as personal data. In almost all cases, I think cookies could be described as personal data, they all come back to having some sort of identifier in there that focuses on an individual, whether it’s an IP address, or something else. So you are going to have to take GDPR into consideration. And then the first thing that you have to think about in that instance, is that you have to decide what legal ground is best for processing that little piece of personal data. And of course, with most things when it comes to GDPR, or when it comes to marketing and GDPR, the two legal grounds that you have to choose from are Consent and Legitimate Interest.  

GDPR and PECR

GDPR has a place, but the primary piece of legislation to think about with cookies is PECR. PECR stands for the Privacy and Electronic Communications Regulations. And it’s the UK implementation of the e-Privacy directive from 2003. It doesn’t specifically mention cookies, just like GDPR, but it describes the sort of things that cookies do. And it covers not just cookies, but things that work a little bit like cookies, okay, so anything that you might describe as a beacon or a tag, or even device fingerprinting, or anything like that would come under the heading of cookies and similar technologies as it has come to be described. And the PECR legislation applies when anybody stores information on a user’s device, or gains access to information on a user’s device. So the classic use of a cookie is when you go to a website, the website puts a cookie on the user’s browser, so that it can recognize that person when they come back. So obviously, by putting a piece of information there, and then reading it when that person returns to the website, that is exactly what PECR is talking about there when it’s talking about reading or placing information on a person’s device. And PECR says you have to have consent. And the level of consent required is the level of consent that is described in GDPR. SO, that means it has to be specific, it has to be in the form of a positive action and it has to be unambiguous, so you have to describe the kind of thing that the cookie does. How it will be stored, and if it’s going to be shared with anybody and other information as well. But really, you have to consider the fact that people might not really understand cookies, and explain to them exactly what’s going on.   Now, I said that you need consent. And you do need consent for pretty much all cookies except those that are strictly necessary. And when the legislation describes “strictly necessary”, it’s quite a narrow definition. So if your cookie is there for the purposes of aiding the transmission of information or for some sort of security purposes, or if it’s for a service that a person has specifically requested, then you don’t need to get that sort of opt-in level of consent. But for anything else you do, and that covers pretty much everything that we do with cookies. So, whether it’s recognizing somebody when they come back, saving their preferences, personalizing the website, or even something as benign as analytics, all cookies of that kind are going to require consent. And it’s a GDPR level of consent; you have to explain what the cookie does, how long it will be stored, how it will be used and shared. Analytics is not described as strictly necessary. It’s obviously a very beneficial thing. But your website would work without that analytics cookie, and therefore, it’s not strictly necessary.   This is probably the worst cookie banner that I could see, because it provides no information really, other than the fact that this website uses cookies. And you can either accept it or read more. And that’s something that we see quite a lot with cookie banners; that the Accept option for cookies will be very prominently placed. And to make any changes or to reject the placement of cookies is often made quite difficult for consumers. For consent to be valid, it has to be an equally weighted decision, you have to have an accept or decline option. If you want to see an example of a fully compliant cookie application, I always use the ICO’s website, this is possibly the simplest cookie banner that you could imagine. The ICO you can see here, they explain their use of cookies, and they explain necessary cookies. And then the only cookie that they’re actually asking you to accept is an analytics cookie. And you can see that the little slider there is placed in the “off” position as default. And that’s exactly what you would expect. So the person, if they want to allow cookies, they have to come in here and change that setting themselves. That’s the positive action in consent, save and close the settings. And then the ICO will know what you’ve been doing on their website, it was a little bit of an irony there because the ICO have to report back to their government masters about how well their website is performing. And ever since they’ve put their new cookie banner on there, they’re not getting nearly the amount of analytics about that, that they used to. So it’s clearly a pain for all of us. Now, this is pretty much an example of how not to do it. So, you can see here the Daily Mail’s page. I’ve got the cookie banner at the bottom, which is pretty much weighted towards me saying “yes”. that green “got it” button is sticking out there and if I want to change any settings, obviously I have to go to cookie settings. And if you do follow that through, it’s a very complicated process of selecting from hundreds of different people that the data is shared with whether or not you want to share them. So, I can imagine that almost everybody just clicks “got it” and carries on reading their article. But the most important thing here is, I use a little utility on my browser called Ghostery, and Ghostery tracks any cookies that are put down and you can choose whether to accept them or get rid of them. And you can see here that even before I touch that cookie banner so before I’d said “yes” or “no” to any cookies, this website had actually placed nine cookies on my browser before doing anything so it makes a little mockery out of me having the choice of whether they’re there, because they were put there before I even said “yes” or “no”. Now here’s an example that is quite easy. You’ve got everything in one place. You can choose to just click one of the three buttons there “Use necessary cookies only”, “Allow the selection”, which at the moment is set to necessary only or “Allow all cookies”.  You can pick and choose exactly what you want there. And if you want more details, there’s a little drop-down at the side there. So, that’s quite good. And I’ve seen that on a number of websites recently.   This is an excellent example, I really like this. I’ve got this in two stages, you’ve got the little banner that comes up at the bottom of the website. And you’ve got the three options. Again, you can customize the cookies, or you can “disable all” or “allow all”, if you go into the Customize section, you can see there that you’re given a little bit of a description about each cookie and what it does, and a choice of where to put the slider. And at the moment, all of those sliders are set in the negative position, which is what you’d expect in a fully-compliant consent arrangement. This is another, similar kind of thing. This seems to be using the same kind of software as the ICO. And again, sliders in the “off” position. They’re using just marketing and analytics cookies on this particular site. This isn’t a great example, but I sort of like it.   Because when you go to the cookie settings, it gives you quite a lot of information about each individual cookie, what’s going on, and then a choice of what to do about it. Obviously, the initial choice about whether to accept or decline the cookies is not great, because you’ve just got the “accept all the settings”, you haven’t got the decline option. But it’s quite interesting for those people, probably like me, who like to read a little bit about what’s going on behind the scenes.   Now, it was just a week or so ago, this article came up on the BBC website about “spy pixels” in emails. And it’s a little bit sensationalist. I mean, to call it a “spy pixel” suggests all kinds of nasty things that are going on. But really, what they’re identifying here is the use of the little invisible GIFs that are included in emails, open tracking pixels, whatever you call them, that basically just let the sender know a little bit about what’s happened to their email, whether it’s been opened or read, or whatever. Now, as I said, a cookie isn’t just always a cookie, it’s not always just that little bit of information that we saw earlier on. Something like an email pixel is a similar technology. And therefore it does fall under these rules, it does technically mean that you would have to ask separate permission to include a tracking cookie in any emails that you send. And I know that this is very, very difficult, I know that there are a lot of email service providers that include this as just part of the service that they offer. It’s difficult to turn off and I don’t know of any service provider that would allow you to turn it off on an individual basis, so that some people got the pixel and some people didn’t. But I’ll come on and talk about how to deal with this in just a sec. When it comes to enforcement about cookies, and this kind of thing, it’s different across Europe. Whereas GDPR tried to harmonize data protection across Europe and every country in the EU is supposed to be using the legislation in the same way, the e-Privacy directive from which PECR came was implemented separately by each European country. So they’re all slightly different in each location. So what we see at the moment is that the CNIL, who are the equivalent of the ICO in France, have made some enforcement cases against companies for their use of cookies. But in the UK, that’s not the case. The ICO, the Information Commissioner’s Office, who enforce against both GDPR and PECR, consider cookies, pretty much a low priority, and there’s a few reasons for that. It’s difficult to demonstrate that somebody having a cookie placed on their browser or a pixel in an email is causing a lot of damage or distress to an individual. And unfortunately, with the PECR legislation, the regulator does have to go to quite some lengths to prove that that was going on in order to make an enforceable case. Now, they published some guidance, around June 2019, to try and refresh people’s memories about cookies, because I think with the implementation of GDPR, people have forgotten about all other kinds of legislation. And their cookie guidance was met initially with some horror from the industry, because it was really laying down the law about how you have to get consent for all kinds of cookies or similar technologies. However, it did include this paragraph, which is right at the end of the document, which is just a little bit of reassurance for marketers who don’t really have any other way to measure their audiences, or find out what’s exactly happening to their emails when they’re sent. So the ICO said that they “cannot exclude the possibility of formal action.” However, it’s “unlikely that priority for any formal action will be given to users of cookies, where there is a low level of intrusiveness and a low risk of harm to individuals.” So, if you’ve done as much as you can to explain the use of cookies, and let people know that they are going to be there, and that there are some choices, as long as you’ve given people that sort of information, then the ICO say that it’s unlikely that they will prioritize first-party cookies used for analytics purposes, where these have a low privacy risk. So something like Google Analytics where you’re not sharing the data with anybody else, or an email pixel, I think these are probably the easier ones to justify, because you generally only send emails to people who have requested them. And they always have the opportunity to opt out. But there’s still some information that can be put into emails or into privacy policies that explain what’s going on there. But the ICO is “unlikely to prioritize first-party cookies, where these have low privacy risk, or those that merely support accessibility.” So there is a little bit of a get out there. I think what the ICO is really trying to get strict about is the use of third-party cookies, cookies for tracking and profiling and sharing information, that kind of thing. As I said, the ICO has produced a guide on the use of cookies, which is quite good. It goes into some detail. But the DMA has also produced a guide to cookies, which has a number of examples in there. And it’s a bit more of a how-to guide than a how-not-to guide.

The e-Privacy Regulation

Now, I just want to talk a little bit about the e-Privacy regulation. The e-Privacy regulation has been in the pipeline for quite some time now. And originally, it was meant to come into force at the same time as GDPR, because GDPR and the e-Privacy regulation work hand in hand in a number of instances. But it’s taken a lot longer to get it through the European legislative process than we expected. So the e-Privacy Regulation, which is still under negotiation at the moment, will replace the current e-Privacy Directive. And in the UK, that directive was implemented as the Privacy and Electronic Communications Regulations. Now to get legislation into the EU, there are basically three bodies; the European Commission, the Council of the European Union and the European Parliament, and they come up with a draft text each, and then they basically lock themselves in a room and there’s this big horse-trading session. So they take the three drafts of the text, and they go into a negotiating session where they’ll trade one thing for another and come out with a final version. Now, as I said, this should have been implemented way back in 2018, it’s been dragging on for quite a while. We finally have the three versions now, and they will be able to start their three-way negotiation, which is called tri-logue. And the final version of the new e-Privacy will likely be ready by the end of the year, and then there will be a two-year implementation. Now, the thing about something like e-Privacy is, the E stands for European, and the UK is no longer in the EU. So we will have to see how the UK Government deal with this. We haven’t quite received a full thumbs up on our data adequacy agreement. When we left the EU, the UK wanted the EU to recognize the fact that its data protection legislation was of an equivalence to that in the EU. And therefore, we could just continue exchanging data between the UK and the EU, unhindered. They’re still going through that process. But it’s looking quite positive at the moment, there are a few people that are trying to throw a spanner in the works by saying that the UK isn’t really the same as the EU. But I think I think the probability is that we will get that adequacy decision.   Who is John Mitchison John Mitchison is Director of Policy and Compliance at the DMA. Before his 12 years working at the DMA, managed large data campaigns and daily data clients for Axiom. Before that, he worked at The Daily Telegraph doing marketing campaigns using their data, which was very interesting.  Who are the DMA? The DMA is the largest marketing and advertising group in Europe. We have about 1000 members split pretty much equally across brands, agencies, and suppliers. They support their members with a number of products and services. They base everything that we do around the code of practices, which all of our members have to show that they come up to the standard of. They produce best practice guides, content and thought leadership from councils, which are made up of specialists from the membership.