Website cookies – past, present and future

When it comes to consumer tracking and data protection, there is one word that often springs to mind: CookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences.. Thanks to PECR (the Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories).), it is now virtually impossible to go online without being hit by a wave of Cookie banners, reflecting the fact that the majority of organisations are using Cookies to gain valuable information about their visitors’ browsing of their websites. Cookies have been in the news frequently as of late following a series of decisions by the French data protection regulator, CNIL, (with a total of €210 million in fines being handed down to Facebook and Google) and data protection advocate, Max Schrems’, voicing ongoing concerns against cookies.

In this blog, we look at the current law on cookies and its possible evolution following their recent publicity, as well as the UK’s Department for Digital, Culture, Media and Sport’s (DCMS) 2021 consultation.

What is a Cookie?

But before we dive in, it is necessary to know that a Cookie is a term for a packet of data which websites drop onto your browser. Cookies can provide organisations with important data about the effectiveness of their website and other metrics which will help them to improve their online offerings. They are also used to benefit website users; for example, they can be used to keep a record of users login details so that they can stay logged in, provide added functionality to a site by enabling videos and integrations with other third parties, and help to serve relevant and targeted advertising.

Types of cookies

Cookies can largely be split into four main categories:

• Strictly necessary – these are required in order for the website to operate
• Functional – these enable additional functionality on a website, e.g. remembering users are logged in, enabling videos, etc.
• Analytics – these provide statistics on the use of a website
• Targeting/advertising – these record specific information about an individual and their preferences in order to serve them relevant ads

Cookies and the law

When using Cookies there are two pieces of legislation in the UK you must consider: the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and the Privacy and Electronic Communication Regulation (PECR) (in the EU, this would be the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and the Member State in question’s national ePrivacy law).

When it comes to the GDPR, this will only apply where Cookies are processing personal dataInformation which relates to an identified or identifiable natural person. (‘online identifiers’, as per the legislation), however, PECR applies to all Cookies regardless of whether personal data is being processed or not.

Cookies and PECR

PECR stipulates that in order to use any Cookie that does not fall within the Strictly Necessary category mentioned above, organisations must get the user’s consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed., and the standard for this consent is the same as required by the GDPR.

This is most commonly gained through the use of a consent banner or through a CMP (content management platform). Because consent requires a positive action, like clicking to confirm, the default setting must therefore be that the cookies are not dropped on the device until the user clicks accept. This means that a user clicking the ‘X’ to get rid of the banner is not valid consent.

It is also very important to remember that Consent is only valid if it is as easy to withdraw it, or not give it in the first place, as it is to give it. Therefore, all organisations must make it as easy to reject Cookies as it is to accept them. In addition, it is now recommended that organisations allow users to manage their individual preferences for each type of non-essential Cookie (functional, analytics and targeting), thereby offering them even more granular choice.

Finally, PECR requires that users are made aware of “the purposes of the storage, or access to, that information.” Therefore, organisations should ensure that a Cookie Notice containing this information is made accessible to users.

Cookies and GDPR

Where Cookie use personal data and therefore fall under the GDPR, a lawful basis must be identified for the processing activities they are being used for. Fortunately, this is fairly straightforward to achieve. As PECR requires the same standard of consent as the GDPR, in most cases organisations will rely on Article 6(1)(a) as the lawful basis, given consent is already a necessary requirement under the law.

The only exception to the above is where a processing activity uses a Strictly Necessary cookie which therefore doesn’t require user consent under PECR. In this instance, it is likely that Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. is a more suitable lawful basis than consent. This is because if a Cookie is essential for the effective running of your website, if a user chooses not to consent to the Cookies being used, they are unable to use the website which means that their consent, should they give it, cannot be considered freely given as it would be a condition of being able to benefit from accessing the website.

A final point to note relating to GDPR and Cookies is that where Cookies processA series of actions or steps taken in order to achieve a particular end. personal data, this processing will need to be recorded on your Article 30 Records of Processing Activities; included on your website Privacy NoticeA clear, open and honest explanation of how an organisation processes personal data. and, where appropriate, Data Protection Impact Assessments (DPIAs) may need to be carried out to assess and mitigate the potential risks posed by the processing.

Cookie enforcement

In relation to Cookies, CNIL is leading the crack down on companies’ non-compliance. In January 2022, CNIL imposed a fine of €60 million on Facebook and a whopping €150 million on Google due to their non-compliant Content Management Platforms (CMPs). Following investigations into both companies, CNIL found that the tech giants were in breach of Article 82 of the French Data Protection Act when they offered an “accept all” button but failed to create a “reject all” option for users. CNIL highlighted that organisations must make rejecting the use of non-essential cookiesCookies created by third parties and dropped on website users, for the purposes of analytics or advertisement tracking. as easy as they make it for users to accept the use of non-essential cookies. In the cases of Google and Facebook, both organisations’ CMPs had “accept all” buttons that the user could click immediately, however, if the user wanted to reject all cookies, they had to click on a number of links in order to do so.  Considering that research conducted by noyb indicated that only 10% of users go to the effort of jumping through multiple hoops to reject Cookies, it is clear that organisations want to frustrate users into accepting them, but it has been confirmed time and time again that this does not constitute valid consent.[1]

CNIL has also fined Amazon €35 million for dropping cookies on users’ devices without their prior consent. It also found that Amazon had not given adequate information to their users about how Cookies are used. Furthermore, it is not just France that has been dishing out Cookie-related fines; the Spanish DPA fined Vueling airlines €30,000 for not providing an opt-out option to its users.

Cookie advocates

Alongside the recent increase in supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. enforcement actions, Cookie advocates like Max Schrems are acting as the driving force behind the increased awareness of Cookies and how companies have been misusing them. Just last year, Schrems’ not-for-profit organisation, noyb (none of your business), sent over 500 draft Cookie complaint letters to high profile European companies in order to urge them to offer a clear yes/no option within their Cookie banners. And, it appears that their efforts in respect of Cookies is justified, with research conducted showing that:

• 81% offered no reject option at the first layer
• 15% used pre-ticked boxes
• 73% used deceptive button colours and sizes
• 90% offered no easy way to withdraw consent

UK reform

It is clear from the above discussion that Cookies are an area of ever-growing interest, and that many organisations are not fully compliant with the current legislation. It may, therefore, be fortuitous that the UK’s DCMS consultation contained proposals for a “cookie overhaul” to help combat Cookie fatigue and make it easier for organisations to comply. The proposals would see the UK adopting a cross-property tracking approach to Cookies. This would introduce a one-time approach to Cookies, where users could decide up front what their preferences are, which would then be applied across all online services at browser level. The Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) is in support of the proposal, stating that this will allow for meaningful consideration by users of the different categories of data they are happy to have collected.

Other potential changes include the banning of Cookie banners, and the re-categorising of analytics Cookies to fall within the Strictly Necessary classification, meaning that consent would not be required for their use.

We will, however, have to wait until the results of the consultation are published to see whether the above proposals will become reality. There is also no sign yet that the EU will follow the UK’s lead on this, which begs the question how many organisations this will actually help, given the cross-border nature of many businesses who would still be required to comply with foreign legislation.

The risks of non-compliance

Aside from the obvious financial impact that non-compliance could have on your business (£500,000 for a breach of PECR, and up to £17.4 million or 4% of global revenue for UK GDPR), a key risk of failing to comply with the relevant Cookie rules is the reputational damage it can cause. Users are becoming more acutely aware of the requirements around consent, so failing to comply could lead to complaints from users and a loss of trust. This, coupled with the relentless nature of data rights campaigners like Max Schrems and noyb who are actively seeking to shine a light on organisations who fail to comply with EU cookie laws, means that non-compliance is a far higher-risk strategy now than ever before. Conversely, getting your ducks in a row now could save you a lot of hassle.

If you would like further help or information on the use of Cookies within your organisation, please get in touch with us using the form below.

[1] NOYB aims to end “cookie banner terror” and issues more than 500 GDPR complaints.

[/vc_column_text][/vc_column][/vc_row]