Cookies and Adtech: The ICO’s ambitious recipe for compliance

July 22, 2019

The interaction between the General Data Protection Regulation (2016/679) (the “GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (“PECR”) has been a legal conundrum for some time now. 

As a possible sign that supervisory authorities have run out of patience in waiting for the EU legislature to reform the ePrivacy Directive (Directive 2002/58/EC) on which PECR is based, the UK Information Commissioner’s Office (the “ICO”) released updated guidance on the use of cookies and similar technologies 1 (the “Guidance”) on 3 July 2019. The Guidance provides the first in-depth insight into what the ICO expects from website owners in order for their cookie usage to comply with the GDPR/PECR framework. It comes just weeks after the ICO published an update report into adtech and real time bidding 2 (the “Adtech Report”), a newly identified regulatory priority sector that is largely powered by cookies. 

These documents appear to signal that any notion of a regulatory enforcement amnesty pending the arrival of a new EU ePrivacy Regulation should be discounted – cookies are being singled out as “an increasing regulatory priority”. The ICO has been engaging with stakeholders and examining long-established internet practices through the prism of the ungainly GDPR/PECR combination and does not like what has come to light. 

In the Guidance, the picture is challenging although there are a few areas where a degree of reassurance can be found, for example less intrusive analytics cookies are not top of the list of ICO enforcement priorities. In the Adtech Report, the ICO’s two prioritised areas of concern are (1) the processing of special category personal data without explicit consent and (2) the complexity of the data supply chain. Simon McDougall, the ICO’s Executive Director for Technology Policy and Innovation, has since cautioned that the Report is a “warning and wake-up call” to address what the regulator considers to be untenable practices, and that if fundamental changes aren’t made, it is “ready to respond and consider the full range of enforcement actions”.

Which law applies to cookies: PECR or the GDPR? 

Potentially, both apply. PECR provides specific rules which organisations must follow when deploying cookies or similar technologies on “terminal equipment” like PCs or smart phones. When the ICO refers to “cookies”, it is also referring to local shared objects, “device fingerprinting” techniques, pixels, etc. The GDPR, of course, governs the processing of “personal data”. Cookies will often (but not inevitably) involve the processing of personal data, such as user authentication cookies which allow an individual to log on to their account at an online service. When PECR applies it takes priority over the GDPR (and the UK Data Protection Act 2018) and the ICO says that PECR should be considered first.  

It was originally intended that a GDPR-era replacement for PECR would have been finalised at the EU level and applicable from 25 May 2018. The ePrivacy Regulation appears to have lost momentum, however, and significant compliance challenges come from the requirement to “retrofit” GDPR-standard requirements to PECR, for example “consent” for a non-essential cookie under PECR now has to be GDPR-standard consent. Similarly, the “clear and comprehensive information” PECR requirements now equate to the “fair processing information” requirements from Articles 13-14 of the GDPR.  

What does the new Guidance say?

PECR states, in summary, that consent must be obtained for the storing (or accessing) of cookies on a user’s device unless those cookies are “strictly necessary” to provide a requested service or are required to allow “communication” between two parties over a network. The Guidance makes clear that in the ICO’s view:

  • Implied consent is not a valid legal basis for the use of cookies. The GDPR’s definition of consent has raised the bar, meaning that the commonly seen banners which purport to collect consent if an individual continues to use a website will no longer be valid. Instead, more granular choices must be presented to individuals, often raising concerns about interference with user experience. This issue is compounded by the ICO’s view is that it will not be possible, in most situations, to rely on a user’s browser settings in order to demonstrate consent to the use of cookies.
  • Cookies may be “strictly necessary” if they are required to comply with other legislation, such as the GDPR. This may be a welcome clarification for organisations which use cookies for security and fraud prevention purposes, for example. Whether a cookie is “strictly necessary” must be considered from the position of the website user, however, and not the organisation making the website available. Analytics cookies cannot be considered “strictly necessary” and therefore require consent. 
  • Organisations must provide “clear and comprehensive” information about how they use cookies, to the same extent as if processing personal data under the GDPR. This will require many organisations to make substantial amendments to their cookie policies, and any cookie banners that are currently in place. 
  • Where personal data are processed as a result of the use of cookies, it may be possible for the purposes of the GDPR to rely on a legal basis other than consent. This will vary on a case-by-case basis, however, and will need to be considered carefully. 

What should be done now?

In the blog 3Cookies: what does ‘good’ look like?” the ICO’s Head of Technology Policy notes that for many organisations “more work will have to be done” to comply. The Guidance notes that, while regulatory action is always a possibility, it is unlikely that the ICO would consider cookies with a low level of intrusiveness as a priority, such as first party cookies used for analytics purposes, or those which support the accessibility of sites and services. Waiting for the EU ePrivacy Regulation to be finalised before reviewing a website’s cookie compliance post-GDPR is looking potentially risky. Organisations should therefore consider:

  • Auditing cookies to confirm how they are being deployed across websites, apps and other platforms. 
  • Reviewing contracts with third parties which place their cookies on sites and platforms.
  • Reviewing and updating relevant cookie policies and consent collection/information provision mechanisms to reflect the combined requirements of PECR and the GDPR. 
  • Considering whether adequate records are kept, where necessary, to meet the requirements of PECR and the GDPR. Consent records are particularly relevant here.

The ICO’s report on adtech and real time bidding

Of all the sectors to be affected by the GDPR, adtech has perhaps been one of the hardest hit. The confusing interplay between PECR and the GDPR is disproportionately problematic for a sector which depends so heavily on cookies. It has also been singled out by the ICO as a regulatory priority area and is the subject of a number of high profile complaints to the ICO made by privacy advocacy groups.

Broadly speaking, “adtech” refers to tools that analyse and manage information for online advertising campaigns and automate the processing of advertising transactions. Most obviously adtech powers the buying and selling of advertising inventory on a website.  It has been clear for some time that the ICO has had the adtech industry firmly within its sights.  The Adtech Report is a progress report and it is not guidance, although – slightly ominously – it indicates that the regulator does “not think these issues will be addressed without intervention”. 

The Adtech Report focusses on so-called “real time bidding” (“RTB”), an auction process that is primarily used to sell visual advertising inventory on websites and apps (though it can also be used for other media such as audio and visual streaming). This “real time” auction occurs in a fraction of a second – in the time it takes for a website to load in a user’s browser. Publishers make space available on their platforms, ultimately to be filled by content from advertisers as a result of a successful bid on a per individual viewer basis. The process relies on publishers creating “bid requests”, as well as a series of intermediaries such as Data Management Platforms (DMPs) which may be involved in enriching the data about the potential viewer and tagging it with information known or inferred about that person, making the bid request more valuable. Adtech relies heavily on cookies and similar technologies to collect the data (including personal data) of the page visitor, which is then incorporated into the bid request before it is put out for auction. 

Core issues highlighted by the Adtech Report

The ICO makes clear that it has chosen to investigate the RTB ecosystem because of its complexity and scale, alongside the risks that it poses to the rights and freedoms of individuals. The Adtech Report highlights: 

  • GDPR Lawful Basis: There is a lack of clarity within the industry as to the situations in which the GDPR’s lawful bases apply. In particular, the ICO notes the misconception that legitimate interests can be relied upon to place cookies; as noted above, consent is required under PECR in order for most cookies to be placed on a device. Where personal data are processed, a lawful basis for processing under the GDPR must also be identified. The ICO’s view is that if consent is required to place a cookie, “then in practice consent is the appropriate lawful basis under the GDPR”. This will remain a point of contention within the industry, and even amongst other data protection authorities, who consider that the more flexible “legitimate interests” basis may be relied upon in some circumstances.
  • Special Category Personal Data: The RTB ecosystem uses a number of alternative protocols. Two of the most common include data fields relating to politics, religion, mental and physical health, all of which are “special category personal data” for the purposes of the GDPR. This data is subject to stricter controls on processing, such as the need for the individual’s “explicit consent” (an affirmation by the data subject of a clear statement written in words). Current consent management frameworks operated by the main RTB protocols are, in the view of the ICO, not sufficient to comply with these requirements.
  • Lack of Transparency: Information provided to individuals about RTB processing often lacks clarity and fails to explain fully how personal data is processed. Organisations are therefore at risk of breaching the GDPR’s transparency obligations. This also causes difficulties in obtaining a valid consent to data sharing.
  • Lack of Understanding of Legal Framework: It is unclear that organisations participating in RTB frameworks properly understand how the frameworks operate and how personal data processing occurs. Those that cannot document and demonstrate their understanding of RTB processing (and the associated legal rights of end users) risk breaching the accountability principle under the GDPR, and falling below PECR requirements, too.
  • Data Protection Impact Assessments (“DPIAs”): RTB will often trigger the requirement for a DPIA to be conducted, on the basis of ICO-defined high risk activities, such as (i) profiling individuals on a large scale or (ii) “invisible processing” where personal data has not been collected directly from individuals and organisations consider that it would involve a disproportionate effort to provide transparency information to individuals (and so avoid doing so). The ICO has seen no evidence to date that organisations are aware of, or are meeting, the potential DPIA requirement. 

What should those involved in online advertising do? 

The Adtech Report will have implications for all participants in the adtech system, from website owners (publishers) to exchange providers, and ultimately to advertisers. Apart from publishers carrying out a cookie audit, organisations involved in adtech should now look to understand: 

  • The extent to which they are processing personal data, and who they ultimately pass this data to. 
  • What may be required of them under standard-form contracts that are put in place by other players in the industry, particularly in relation to gathering end-user consent.
  • Any high-risk processing activities that they carry out, which may require a DPIA to be carried out.

Elsewhere

Away from PECR and the GDPR, organisations active in the adtech industry are facing scrutiny under competition law. In fact, the Competition and Markets Authority (“CMA”) announced on 3 July that it has launched a market study into digital advertising and “broad potential sources of harm to consumers” from online platforms. The CMA has stated that this will include a review of the way that organisations collect and use personal data. The ICO and the CMA have in place a memorandum of understanding setting out the procedure for cooperation between the two authorities, so it will be interesting to see the extent of coordination between them in relation to the outcome of the CMA’s study.

Commentary

A regulator’s role is to enforce the law as it is, rather than the law as it was supposed to be enacted, or as it might one day become. It goes without saying that the present difficulties due to the delayed EU legislative reforms are not of any regulator’s making. The ICO’s engagement in the form of the Adtech Report and the ongoing dialogue with the sector is welcomed; not least because peremptory regulatory action could have devastating consequences for an industry that allows large amounts of online content to be provided at no monetary cost to the end user. 

So, it is less than ideal to find ourselves on the cusp of the 5G era – with all its potential for boundless connectivity and the Internet of Things – with a dysfunctional regulatory framework. In this context, aspiring to compliance with the historic ePrivacy regime in tandem with the GDPR feels rather like swapping your horse for a car and still expecting it to run on hay.  

Footnotes

1 https://ico.org.uk/media/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies-1-0.pdf

2 https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906.pdf

3 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/blog-cookies-what-does-good-look-like/

Kate Brimsted is a Partner at Bryan Cave Leighton Paisner and is a member of their Data Privacy and Cyber Security team https://www.bclplaw.com/en-GB/people/kate-brimsted.html

Tom Evans is an associate at Bryan Cave Leighton Paisner and is a member of the Data Privacy and Cyber Security team https://www.bclplaw.com/en-GB/people/tom-evans.html

This article was first published on the BCLP website and is reproduced with permission