Are You Getting Cookies Compliance Wrong?

Cookies are small text files that are placed on your computer by websites which you visit. They are used to make websites work, or work more efficiently, as well as to provide information to the owners of the site - including your browsing habits, pages visited and other traffic analysis and tracking data.  Such information can be invaluable to the site operators (and others with whom the websites share this personal data) for the purposes of sending you targeted advertising or other forms of e-marketing direct to your computer.

In the UK, the relevant legislation for data protection is the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR), which were originally put in place prior to Brexit to implement European Directive 2002/58/EC, also known as 'the ePrivacy Directive'.

PECR Regulation 6 says that if you use cookies, you must say what cookies will be set and explain what the cookies will do (usually in a cookies notice or policy) and obtain users’ consent to store cookies on their devices.

The definition of consent in Article 4(11) of the UK GDPR is that it is a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.  Consent should also be unbundled from other terms and conditions and users should be able to refuse without detriment.  In essence, this means that consent must be opt-in and not opt-out, and must be granular and specific based on clear information about what the person is consenting to.

There are 2 exemptions known as the ‘communication’ exemption and the ‘strictly necessary’ exemption.  These exemptions allow cookies to be set for the ‘sole purpose of carrying out the transmission of a communication over an electronic communications network’ (i.e., for the website to work), or where such storage or access is ‘strictly necessary for the provision of an information society service requested by the subscriber or user’ (such as a shopping cart or to make a transaction secure).

If your cookies process personal data, you must also determine a lawful basis under Article 6 of UK GDPR.  As the PECR states that you must obtain consent for the use of cookies, you may think that the most obvious lawful basis would be Article 6(1)(a), consent.  However, many websites rely on Article 6(1)(f), legitimate interests.  Let us hold that thought for now and examine this in more detail later.

Below are some examples of common noncompliant or potentially noncompliant approaches to using cookies.

No consent requested.

Sometimes websites just have a notice to say that cookies will be collected – perhaps stating it is to enhance user experience - but with no further detail, no consent requested and just an ‘OK’, ‘Continue’ or ‘Got It!’ button to click.  If a website only uses the ‘strictly necessary’ cookies and doesn’t use any cookies that process personal data, then you can tell people that to explain why you aren’t requesting their consent.  But otherwise, you must collect consent, and it is not enough to suggest that by continuing, users of your website agree to their use. And for the avoidance of doubt, this includes one of the most frequently used cookies, Google Analytics.

‍

‍

Opt-outs and not opt-ins

Some cookie notices present the option to consent already pre-checked.  To refuse consent, users need to remember to untick the box.  Consent must be an unambiguous indication of the data subject's wishes, by which they provide consent by a clear affirmative action.  So, you can’t ask users to untick if they don’t want cookies.

‍

‍

‍

Collecting cookies before consent is received

Some sites set cookies from the start but remove them if the user indicates that they do not consent.  However, this isn’t lawful – cookies processing personal data can only be set after consent is received.

It is probably a good point to mention that, in September 2024, the Information Commissioner’s Office (ICO) issued a reprimand to Bonne Terre (which owns Sky Betting and Gaming) because they set cookies before consent had been given. 

Setting a global ‘accept’ button.

Many sites offer ‘accept’ or ‘deny’ buttons, which is fine, but not if you click the accept button, and get all the cookies.  As discussed above, consent must be specific and granular, so you need to give people the choice of what to accept and what not to accept.  Even listing the cookies in groups such as ‘analytics’ and ‘advertising’ can work, but isn’t always granular enough.  In short, an ‘accept all cookies’ button is fine, provided it sits alongside the option to manage cookies in a more granular way.

The French data protection regulator, the National Commission on Informatics and Liberty (CNIL), sanctioned Google and Facebook in 2021 for failing to make rejecting cookies as easy as accepting them, which invalidated the consent on which those companies relied.  Whilst cookies could be accepted by a single 'click', a number of steps were needed to reject them.  The companies were given 3 months to correct the situation, under the threat of a daily fine of €100,000 for every day of ongoing noncompliance after that.

Emphasising the positive

This is where the design of the site promotes the option to click on ‘agree’ by using a larger font size, using a more prominent button than the deny button, or having the agree button in green and the deny in red.

The guidance from the Irish Data Protection Commissioner says ‘If you use a cookie banner or pop-up, you must not use an interface that ‘nudges’ a user into accepting cookies over rejecting them. Therefore, if you use a button on the banner with an ‘accept’ option, you must give equal prominence to an option which allows the user to ‘reject’ cookies, or to one which allows them to manage cookies and brings them to another layer of information in order to allow them do that, by cookie type and purpose.’

Cookie consent options must be clearly labelled, and offer a fair choice to the user by making the deny and accept options of equal prominence at least.

‍

‍

‍

Consent and legitimate interests

Let’s look again at legitimate interests.  Some sites allow users to provide or withhold their consent, but also have presets which allow processing under legitimate interests.

The European Data Protection Board (EDPB) issues various guidance on data protection law.  In its guidelines 05/2020 on consent, clauses 122 and 123 specify ‘that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent. Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals. In other words, the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Because of the requirement to disclose the lawful basis, which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful basis is.’

So, it is unfair and unlawful to take the approach of collecting cookies under legitimate interests, even if the user does not give consent, with the user needing to know that they must object to the processing (often in another tab buried at the bottom of the page) in order to opt out of it.  

The EDPB’s recent guidelines 01/2024 on legitimate interest points out that whilst GDPR Recital 47 states that the processing of personal data for direct marketing purposes may be carried out to fulfil a legitimate interest, this does not mean that direct marketing always constitutes a legitimate interest, and so it is not automatically possible to rely on Article 6(1)(f) of the GDPR to engage in all kinds of direct marketing activities.

It goes on to state that ‘under the ePrivacy Directive [or for the UK, PECR], the sending of unsolicited communications for purposes of direct marketing by email, SMS, MMS and other kinds of similar applications can only take place with the prior consent of the individual recipient.  In this respect it should be noted that the consent to be obtained should meet the requirements set out in Article 4(11) GDPR.  Therefore, in this context, the processing for direct marketing purposes may not be based on Article 6(1)(f) GDPR.’

‘It should be noted that Article 5(3) ePrivacy Directive also requires consent for the use of tracking techniques, such as storing cookies or gaining access to information in the terminal equipment of the user. Therefore, when these techniques are used in the context of direct marketing activities, such consent requirements under Article 5(3) the ePrivacy Directive must be respected. Any processing operations of personal data following the aforementioned processing operations, including processing personal data obtained by accessing information in the terminal equipment, must have a legal basis under Article 6(1) GDPR in order to be lawful. Therefore, consent will likely constitute the appropriate legal basis both for storing and gaining access to information already stored on the user’s device and for the subsequent processing of personal data, thus normally precluding reliance on Article 6(1)(f) in this context.’

This approach of using legitimate interests even if consent is denied is problematic for two reasons.  The first is that not everyone is a data protection expert - it is unfair to perform personal data processing under legitimate interests after consent has been denied.  Secondly, if the processing is for direct marketing by electronic means under the scope of PECR or to set cookies, the only lawful basis option is consent.

‍

‍

‍

‍

Cookie walls

A cookie wall is a cookie pop-up that asks users of a website to accept cookies before they can access the website.  If they do not give consent, users don’t gain access.  This is distinct from users paying for an online service.

Based on the definition of consent alone, it could be argued that cookie walls do not constitute valid consent as they do not provide users with a free choice in respect of cookies and, as such, are not compliant.

The EDPB guidelines on consent addresses this in clause 40 and 41.  ‘A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the ‘Accept cookies’ button.  Since the data subject is not presented with a genuine choice, its consent is not freely given. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the ‘Accept cookies’ button. It is not presented with a genuine choice.’

The ICO guidance on this point agrees cookie walls are inappropriate where the user has no genuine choice. But the ICO does say that under GDPR Recital 25 they are acceptable where the user has specifically requested a certain service, but this does not include analytics services or online advertising.

Other regulators of the EU member states in Ireland, Spain, the Netherlands and Belgium agree that cookie walls do not constitute valid consent as the user is not presented with a real choice.

‍

‍

‍

Consent or pay

Consent or pay is an extension of the concept of a cookie wall, where users are asked to either consent to the processing of their personal data or pay to access the site content.  Again, this is not a subscription service for content, but a payment for withholding consent to process personal data.

This method is cropping up more and more, with many UK national newspapers adopting this approach, charging one-off sums or monthly subscriptions to allow readers to withhold their consent.  Consenting on at least one of these newspaper sites means that your data is shared with over 1200 ‘partners’.

UK data protection law doesn’t specifically prohibit ‘consent or pay’, but it is hard to see how having to pay for content that is otherwise free to those who consent constitutes ‘freely given’. Consent would need to be unbundled from other terms and conditions so that users can refuse without detriment (consent can’t be withdrawn without detriment if you have to pay to do so).  It also can’t be seen as being as easy to ‘Reject all’ as it is to ‘Accept all’ if to do so costs you money.  .

The ICO made a call for views on the consent or pay model, which closed on 17 April 2024.  It commented that whilst the legislation didn’t specifically prevent a consent or pay model, ‘any organisation considering such a model must be careful to ensure that consent to processing of personal information for personalised advertising has been freely given and is fully informed, as well as capable of being withdrawn without detriment.’

The ICO went on to say that the following factors should be considered:

• To what extent is there a clear imbalance of power between the service provider and its users?  Consent for personalised advertising is unlikely to be freely given when people have little or no choice about whether to use a service or not, which could be the case when they are accessing a public service or when the service provider has a position of market power.
• Are the ad-funded service and the paid-for service essentially the same?
• Is the fee appropriate?  Consent for personalised advertising is unlikely to be freely given when the alternative is an unreasonably high fee.  Fees should be set so as to provide people with a realistic choice between the options.
• Are the choices presented fairly and equally? This means giving people clear, understandable information about what the options mean for them and what each one involves.

It is believed that the ICO will produce its report of its findings from the consultation by the end of 2024.

As a final thought on pay walls, requiring payment is an indicator of the value of personal data to a website provider and that it provides an income stream worthy of protection.

‍

‍

Check the cookies you are using

Run a diagnostic scan (free online services are available) to identify the cookies deployed on your website. Establish what they are being used for, and identify those that are provided by third-party providers, and which involve the sharing of data with the third party.

Get rid of the cookies you no longer need 

We often find companies use cookies to collect data that they never use, which doesn’t satisfy the ‘necessary’ requirement for processing.

Identify the need

Find out why you need the cookies and what they are used for, making sure you can defend whether they are ‘strictly necessary’ cookies, analytics cookies, performance cookies, functional cookies or advertising and tracking cookies.

Check your cookies policy 

If you don’t have one, write one.  It should be in plain language and explain clearly what you are doing, the cookies you use and why, as well as any third parties that process information stored in or accessed from a user’s device.  It should also explain how long you set the cookies for.

Work out how to collect consent 

You need to collect consent for all cookies that are not ‘strictly necessary’ before cookies are dropped onto the user’s device.  Make sure you can do this in a way that records how and when you obtained consent.

Consider using a consent management platform (CMP) 

A CMP will help you handle notifications and consents and could even help users to get to your cookie policy. But be wary;  there are many platforms on the market but (as has hopefully been demonstrated by his blog) not all comply with data protection legislation.

Get expert help  

Not everyone is an expert on cookies and many small businesses might be considering this for the first time, so get some expert help to get you going.

The Government’s Data (Use and Access) Bill, currently making its way through Parliament, contains a provision which, if passed, would allow for an exception to the requirement for consent for certain non-intrusive cookies or similar low-risk technologies.  For example, consent would not be required for the placing of analytics cookies solely to measure website use in order to improve the site, or where they are strictly necessary to ensure security or to detect or prevent fraud, provided that users are given clear and comprehensive information about the cookies and an opportunity to object.  To learn more about the Data (Use and Access) Bill, read our blog on DUA Bill: An Initial Assessment.