July was a busy month for the regulation of cookies and online tracking technologies in the EU. First, the UK Information Commissioner’s Office published lengthy guidance on cookies that, among other topics, addresses in detail the relationship between the GDPR and the Privacy and Electronic Communications Regulation (PECR), the UK’s implementation of the E-Privacy Directive (2002/58/EC). A couple of weeks later, the supervisory authority of France, CNIL, published its updated cookie guidance. Then, in an unrelated development, the Court of Justice of European Union (CJEU) published an opinion in Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (C-40/17) that addressed data protection responsibility for social media widgets.
In this article, we summarize our key takeaways from July’s cookie law developments:
- Don’t forget about other tracking technologies and IoT devices.
Both the ICO and CNIL clarify that the E-Privacy Directive also applies to any technique that can read from or write to “terminal equipment” (i.e., the user’s device), including device fingerprinting, which is the practice of identifying a unique device based on a combination of information collected from the device (e.g., operating system, browser, installed fonts, clock information, etc.).
The E-Privacy Directive also extends beyond traditional computers and browsers to devices such as wearables and smart televisions. Unfortunately, neither the ICO nor CNIL provides practical recommendations for how to obtain informed consent on those devices.
- Perform (regular) audits of cookie practices.
This has been a recommended practice for a long time, but the ICO specifically recommends performing a cookie audit, both at the outset of the online service and periodically over time to account for changes. A cookie audit is not only an opportunity to identify various cookies and tracking technologies on an online service to update notices and consents, but also an opportunity for clean-up. It is not uncommon to discover cookies during a review of a website that are no longer being used, but are remnants of legacy code.
- Determine whether an exemption to consent applies.
The E-Privacy Directive provides an exemption from the consent requirements for cookies that are “strictly necessary” to perform a service requested by the user. One area of disagreement between the ICO and CNIL is whether this exemption applies to analytics cookies—i.e., cookies used to facilitate audience measuring.
The ICO takes the position that analytics cookies are not “strictly necessary,” and therefore require consent. As almost every online service uses analytics cookies, the ICO’s position would require most online services (if operating within the territorial scope of the PECR) to comply with cookie consent requirements. Fortunately, the ICO states that it does not consider analytics cookies a high priority for enforcement action, if such cookies have a low privacy risk as implemented.
In contrast, CNIL takes the view that analytics cookies are eligible for the “strictly necessary” exemption, if certain conditions are met. Specifically, the analytics cookie must be: (1) set by the publisher of the site or its processor; (2) users must be informed of such cookies; (3) there must be an opt-out mechanism; (4) the cookie must only be used to create statistics or other aggregated data and, then, for limited purposes (e.g., to evaluate effectiveness of published content); (5) geolocation information derived from an IP address must not be more specific than a city; and (6) the cookie must expire within 13 months and the analytics information must not be retained for more than 25 months. Where these requirements are met, CNIL concludes that an online service does not need consent for analytics cookies.
- Develop clear and comprehensive notices.
Both the ICO and CNIL emphasize the importance of providing individuals with notice of cookie practices. This is important not only to meet the “informed” consent requirement, where applicable, but also for transparency under the GDPR. Based on the recent guidance, here are a few tips for notice:
- Include information on the purposes and duration of cookies.
- Avoid lengthy, technical details in a cookie notice. According to the ICO, it is often better to provide useful information on the purposes of processing categories of cookies than to provide a long list of individual cookie names with limited context.
- If using third-party cookies (i.e., a cookie that originates from a third-party domain, such as a social media site), the cookie notice should specifically name the third party. The ICO recommends also including information on how the user can learn more about cookies from the third party platform (e.g., linking to the third party’s privacy or cookie notice).
- Obtain specific, freely given and informed consent.
Consent is the most visible, and in many cases, challenging requirement for online service operators. Based on the recent guidance, here are some tips for consent:
- Obtain consent for cookies before setting them.
- Implement a user-friendly consent mechanism that works best for your online service’s user interface. Both ICO and CNIL advise against relying on browser settings for consent, although the ICO leaves open the possibility for this to change based on future developments in browser technology.
- Cover third party cookies, as well as cookies set by your online service.
- The consent mechanism should offer users the opportunity to demonstrate assent in an unambiguous manner. The failure by a user to engage with a consent mechanism should not be considered consent when the user navigates to other parts of the online service.
- Do not rely on general terms and conditions as a basis for consent. CNIL emphasizes that users must have an opportunity to consent to each purpose, which suggests offering users granular choices through a cookie settings menu.
- Avoid “nudge” behavior that pushes individuals to accept cookies. For an example to avoid, the ICO’s guidance provides an illustration of a consent banner with a large accept button but only a small link to decline cookies.
- Cookie consent should not be required for entry to a site; therefore, a cookie wall that requires consent or does not allow a user to enter is not “freely given” consent.
- Cookies should not be pre-enabled. For example, if providing users with the opportunity to enable or disable certain cookies, the default option should be to disable cookies.
- Analyze obligations under both the GDPR and the E-Privacy Directive.
It is possible that the E-Privacy Directive applies, but the GDPR does not apply, and vice versa. For example, the E-Privacy Directive requires consent for cookies even if such cookies do not involve the processing of personal data. Similarly, because the E-Privacy Directive and GDPR have different material and territorial scopes and exemptions, it is possible the GDPR may apply to certain cookies, where the E-Privacy Directive does not.
The first step is to fully analyze whether your cookies are subject to the E-Privacy Directive consent requirements or whether there is an applicable exemption. If not, your requirements under the GDPR will depend on your role: controller, joint controller, or processor.
In Fashion ID, the CJEU reviewed the responsibilities of the parties with respect to a social media widget (e.g., a “like button” hosted by a third-party social platform). A social media widget allows the social media platform to track individuals across websites and over time through a third-party cookie. This tracking cookie can work even when the user is not currently logged into the platform. The CJEU concluded that the website operator is a joint controller with the social media platform for purposes of the collection of personal data and the transfer to the social media platform. However, the social platform is solely responsible for how it processes the tracking information thereafter, assuming no other involvement by the website operator.
If acting as a controller, you are responsible for establishing a basis for processing. The GDPR offers six potential legal bases for processing. However, the ICO emphasizes that, where consent is required under the E-Privacy Directive, consent is also required under the GDPR.
- Address responsibilities for compliance with third parties.
Websites and other online services frequently integrate third-party widgets (including the social media widgets discussed in Fashion ID) to enhance the function of their service and to provide users with opportunities to share content on other platforms. If these widgets include third-party cookies, the agreement between the online service operator and the widget provider should address the parties’ respective responsibilities for compliance.
The ICO takes this issue a step further and takes the position that widget providers “may need to take further steps [beyond entering into an agreement], such as ensuring that the consents were validly obtained.” Similarly, CNIL points out that a controller must be able to demonstrate that consent has been validly obtained, beyond pointing to a contractual obligation of the other party. As both parties may be held jointly responsible, we recommend that both parties periodically review compliance and cooperate with each other as necessary to ensure any consent requirements are met.
Polsinelli provides this material for informational purposes only. The choice of a lawyer is an important decision and should not be based solely upon advertisement.