Using cookies – why should you bother to get match fit?

April 2021

In 2019, with new guidance, the ICO confirmed GDPR level consent is required for the placing of cookies (unless ‘strictly necessary’). In the same year, the ICO launched their investigation into AdTech and Real Time Bidding.

With the pandemic the data protection focus has been elsewhere but now, things are moving again:

  • French CNIL fined Google and Amazon fined €135m for failing to obtain consent
  • The ICO restarted its investigations into AdTech
  • The Spanish DPA fined Iberia for failing to allow for the option to reject cookies

Yet, in early 2020, a research study by from MIT/UCL/Aarhus Universities indicated only 1 in 10 UK websites were compliant!

What does this all mean, and should we care?

The cookie basics

Does your website have a cookie pop-up? Do you have a clear Cookie Notice explaining how you use cookies and similar technologies? Are you collecting consent for the cookies you use?

We’ve all seen the deluge of cookie notifications, some are strictly compliant, others aren’t, and plenty are downright confusing.

Not only that, but should we be thinking about more than just cookies? What about pixels, scripts, fingerprinting and plugins?

What does ‘good’ look like?

In the ICO’s updated Cookie Guidance published in 2019, the Regulator confirmed GDPR standard consent is required for the placing of cookies or similar technology, unless ‘strictly necessary’.

A lot of information can be captured with a cookie including IP addresses and device IDs. These are deemed to be personal data. The guidance says the following;

  • users should take a clear and positive action to consent to non-essential cookies
  • pre-ticked boxes or sliders defaulted to ‘on’ shouldn’t be used for non-essential cookies
  • non-essential cookies shouldn’t be dropped before you gain consent
  • websites and apps should tell users clearly what cookies will be set and what they do
  • it must be clear what third party cookies you use

In short, the ICO says people should be given control and it isn’t sufficient to tell them to go and change their browser settings.

‘Strictly necessary’, is strictly interpreted

Consent is not required for cookies that are ‘strictly necessary’, but these should be essential to the service you’re providing. The ICO has deemed analytics cookies to be non-essential.

(Interestingly there’s some discrepancy across European regulators on this point, the French CNIL does not take such a strict interpretation on analytics).

Where’s the harm?

In the same guidance document, the ICO also states:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals.

This sentence has been interpreted by some to mean analytics which cause low level intrusiveness, where a risk assessment has taken place and where measures have been taken to minimise harm, may be considered acceptable. Confused yet?

Where does Adtech fit in?

Also in 2019, the ICO launched a review into adtech and Real Time Bidding. This was designed to understand how the complexity of the adtech ecosystem presents a threat to the rights and freedoms of individuals.

It was particularly focussed on the compliant use of cookies – particularly 3rd party cookies. This review was paused during the pandemic but is up and running again now.

The more third-party cookies you deploy and the more sophisticated technology you use, the greater the risk of complaints to highlight your non-compliance.

In reality, though, the adtech cookie show has moved on. It’s likely 3rd party cookies will disappear by themselves as the browser companies stop supporting them. Google’s announcement to stop supporting third party cookies on Chrome in 2022 sounded the dead knell.

What do the public think?

Inevitably people have mixed feelings about cookies. There is increased public awareness about how we are tracked through websites, and some people are becoming savvier about how their data might be being used and shared.

Anyone can use a cookie scanner and check what cookies your website uses, and check whether you’re being open and upfront about what you do or not.

Equally there are others who really couldn’t care less.

What steps to take

Practically speaking it makes sense to share with consumers which cookies are deployed as well as what they are used for. Anyone without a cookie banner now needs to get their house in order. How rigorous your cookie notice is, is a matter of judgement, as well as a careful risk assessment.

In reality, businesses often find it hard to get organised with cookies because no one team manages them. In the short to medium term here are some pragmatic actions:

  • Understand what cookies are being placed on your website(s) – are they still used?
  • Make sure you have one central point to co-ordinate the management of cookies across the business
  • Categorise your cookies, so you can separate your strictly necessaries from your non-essentials
  • For any 3rd party cookies or other technologies make sure you have some oversight over what happens to the data that is captured from your site
  • For each cookie, review the retention periods and decide how long they should be kept for – some are defaulted to a surprisingly long time
  • Make sure your cookie notice is clear and up to date
  • Decide what level of technology is needed to manage your cookie consent – there are plenty of free consent platforms for small businesses so price is no reason not to

In conclusion providing no help for consumers to understand what cookies are used should be a thing of the past. How you interpret the ICO guidance is a matter of judgement and a risk assessment. So long as you carry out that assessment and are able to explain your decisions you are in a stronger position than if you did nothing.