Data Protection Network | Communications

Consent or pay – okay for Meta in the UK ICO gives Meta the green light, but what do other businesses need to consider? There’s been much debate about Meta’s use of personal information to target Facebook and Instagram users with advertising. Until now, targeted advertising was part of the standard terms and conditions for UK users of these services, but the Information Commissioner’s Office (ICO) says this is not in line with UK law. Meta is now planning to switch to a ‘consent or pay’ model. A model which many of us are now familiar with when trying to access online newspaper articles. Consent or pay (aka ‘pay or okay’) gives users a choice: a) consent to being tracked for advertising purposes; or b) pay for an ad free service; or c) leave without accessing the content. It’s a model not without its fierce critics – how can consent be freely given? how can it be a genuine choice? There are clear battle lines between the right to privacy, data protection and ePrivacy laws, and the right to conduct business. The ICO seems to be trying to walk this tight rope. In a statement the regulator has welcomed Meta’s decision to move to asking for the consent of users for targeting ads, saying; “People must be given meaningful transparency and choice about how their information is used. At the same time, the ICO recognises that online platforms, like every business, need to operate commercially. There are a number of ways online platforms can do this in compliance with UK law and the ICO’s guidance. “Under Meta’s chosen approach, people will be able to choose between consenting to personalised ads or paying a monthly subscription for an ad-free service – known as a ‘consent or pay’ model.” A crucial point for the ICO is the pricing point for those who choose to pay. The ICO asked Meta to set a price which gives people a fair choice. As a result, Meta is said to have significantly lowered the starting price for a subscription, which will be close to half that of EU users. The ICO says it will continue to monitor the roll-out of Meta’s changes, and indeed other companies’ use of consent and pay models. 4 cornerstones of ‘consent or pay’ “Consent or pay” models can be compliant with data protection law if you can demonstrate that people can freely give their consent and the models meet the other requirements set out in the law.” ICO If you are using a consent or pay model, or considering implementing it – there’s the potential to find yourself on the regulator’s radar, so it’s worth familiarising yourself with ICO guidance. This guidance make it clear the right to the protection of personal data needs to be balanced against other rights, such as the right to conduct business. We may have got used to lots of free news content, online games, and other free services, but the ICO recognises organisations should be able to monetise products, and there is no obligation for providers of online services to offer their services for free. However, the ICO says any decision to adopt the ‘consent or pay’ model must be assessed and documented to make sure it’s compliant with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Businesses need to be ready to justify their approach. The guidance sets out four key areas for an assessment to focus on. 1. Power imbalance: Is there a clear power imbalance between you and the people using your product or service? It’s unlikely that people can freely give their consent if they have no realistic choice about whether or not to use the service. You should especially consider existing users of your product or service under this factor. 2. Appropriate fee: Have you set an appropriate fee for accessing your service without personalised advertising? It’s unlikely that people can freely give their consent if your fee is inappropriately high, making it an unrealistic choice. 3. Equivalence: Is your core service broadly equivalent in the products and services offered where people consent to personalised advertising and where people pay to avoid personalised advertising? You can include additional perks or features in either service, however you should provide an equivalent core service across all options to ensure that people have a free choice. 4. Privacy by design: Do you present the choices equally to people, with clear, understandable information about what each choice means and what they involve? People cannot freely give their consent if they are uninformed about the available options or have their choice influenced by harmful design practices. What’s clear is the UK ICO is taking a more lenient approach to consent or pay than some of its European counterparts. The model continues to be scrutinised by EU data protection authorities, and is the subject of high-profile complaints by privacy right campaigners. It would be wise to do even more homework if you operate in the EU. European Data Protection Board Opinion on Consent or Pay. In all of this, while much ‘targeted’ advertising can be innocuous, in some cases ads can cause very real distress and harm when targeting goes awry. The BBC has written here about a case where mothers who lost their babies were still targeted with upsetting baby related content.

How to use the ‘charitable purpose soft opt-in’ When will charities be able to use it for direct marketing? The Data Use and Access Act (DUAA) 2025 amends the Privacy and Electronic Communications Regulations (PECR), allowing charities to send direct marketing about their charitable purpose(s) without consent. But only IF they can meet specific criteria. The ICO has launched a consultation on its proposed approach to this change, which sets out when charities will and won’t be to use the so called ‘charitable purpose soft opt-in’. This regulatory approach could be subject to changes after the consultation closes on 17 November. To make a clear distinction the ICO refers to the existing exemption to consent as the ‘commercial soft opt-in’. This change is expected to take effect from January 2026 and until it has legally taken effect it must NOT be used by charities. What’s the ‘commercial soft opt-in’? The existing exemption to consent can be relied upon to send electronic marketing (e.g. emails and texts) only if ALL of the following conditions are met: ✔ A person’s contact details are collected during the course of a sale, or negotiations for a sale, of a product or service; ✔ An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication; ✔ You only send marketing about your own similar products and services (not those of a third party). The phrase ‘course of a sale, or negotiations for a sale’ has largely excluded charities from relying on this exemption, with limited use for example if you have an online charity shop. Quick note: the rules under PECR on consent and the soft opt-in exemption apply to electronic marketing to ‘individual subscribers’ i.e. people’s personal email addresses. They don’t apply to emails to business contacts. See UK email marketing rules and ICO guidance on marketing to business contacts What’s the new ‘charitable purposes soft opt-in’? The ICO’s draft guidance states organisations will be able to use the charitable purpose soft opt-in instead of consent, if the following requirements are fully met: ✔ You’re a charity – as defined under the law in England, Scotland or Northern Ireland. ✔ The sole purpose of your direct marketing is to further one or more of your charitable purposes. ✔ You obtained the contact details directly from the recipient. The ICO stresses ‘there is no such thing as a third-party marketing list that is ‘soft opt-in compliant’.’ ✔ You obtained the details in the course of the recipient: – expressing an interest in one or more of your charitable purposes For example; signing up to your charity’s website or newsletter, requesting information about your charitable purposes, events or services you offer. or – offering or providing support to further one or more of your charitable purposes. For example; the recipient donates to, or volunteers to help your charity. ✔ You gave an opportunity to refuse or opt out when you collected the details. ✔ You give an opportunity to refuse or opt out in every subsequent communication. What is a charitable purpose? The Charities Act 2011, and equivalent legislation in Scotland and Northern Ireland provides a non-exhaustive list of examples which can be considered charitable purposes, if done for the public benefit. The ICO says furthering your charitable purpose can include activities such as: ✔ Requesting donations, including financial contributions and donations of clothes, food or other items ✔ Requesting volunteers help ✔ Providing information about your charity’s activities, including the work you do and the services you provide. Do charities have to make changes? The short answer is NO. This is a choice. Stick with consent where you currently use it for direct marketing, or switch to the charitable purpose soft opt-in if you wish to, and if you can meet it’s specific requirements. 5 key points to bear in mind If you’re looking to make the switch from consent, we’d advise reading the ICO draft guidance in full. However, we’ve picked out some pertinent matters to consider. 1. It can’t be used retrospectively The ICO stresses you can’t use this change to send electronic marketing (e.g. email and text) to people whose details you’ve already collected before it takes effect. The Regulator says this is because, if you’ve been relying on consent you won’t have offered people an opportunity to opt-out. Furthermore, you’re unlikely to meet wider data protection obligations such as satisfying the legitimate interests balancing test and the transparency principle. 2. No promotion of third parties The charitable purposes soft opt-in can only be used to further your own charitable purposes. It must not be used to send marketing about other organisations, including other charities. 3. The charitable purposes and commercial soft opt-ins are NOT interchangeable This is where the draft guidance gets more nuanced. The ICO says you can’t send electronic marketing about your charity’s commercial activities using the charitable purposes soft opt-in. Conversely, you can’t send electronic marketing about your charitable purposes using the commercial soft opt-in. This means if you rely on either soft opt-in you can’t mix up the content of an email or text marketing message. It must either relate to your charitable purposes or be about commercial activities, not both. The ICO gives an example of charities who carry out commercial activities like selling second-hand items. The regulator says; “someone buying these items would not be considered as offering or provide support to further your charitable purpose because there may be other reasons for them to buy the items.” In this situation the ICO says you’d need to ask people for their consent to send electronic marketing about your charitable purposes, or look to rely on the commercial soft opt-in to send electronic mail solely about your commercial activities. In practice, the ICO’s guidance means if you intend to use both types of soft opt-ins, your CRM platform will need to be able to support this distinction and communications teams will need to clearly understand what can and can’t be sent to different audiences. 4. Meeting all the soft opt-in criteria might not be enough The ICO says there may be some situations even when you meet the criteria above where it may still not be appropriate to send electronic mail marketing. An example is given of how it could cause harm to send direct marketing to someone who’s accessed a charity’s crisis intervention service. 5. Don’t forget you still need a lawful basis When using either the charitable purposes or commercial soft opt-in, you will still need a lawful basis under UK GDPR when processing people’s personal information. If not consent, the only other appropriate option for direct marketing is likely to be legitimate interests. When relying on legitimate interests you need to balance your interests and make sure these don’t negatively impact on the recipient’s rights and freedoms. To comply with the law the regulator says you should conduct a legitimate interests assessment. This will help you to ask the right questions and objectively weigh up people’s reasonable expectations and any impact your activities could have on them. 6. Privacy notices will need updating You’ll need to make sure relevant privacy notices are updated to clearly call out where direct marketing is carried out based on legitimate interests. Pros and cons of the charitable soft opt-in More broadly than meeting legal requirements and regulatory expectations, in my experience there are some other matters to bear in mind before making the switch, there are some positives and some negatives. Here are a few… Bigger audience of supporters to market to? Collecting someone’s consent to send them marketing, obtaining a clear unambiguous tick (or check in a box) is undoubtedly a clear indication they would like to hear from you in future. However, asking people to take a positive action is recognised as negatively impacting on the volume of people you can communicate with. Hence why many commercial organisations choose to use the commercial soft opt-in. Opt-out / opt-in confusion? Relying on the soft opt-in means you can provide people with the ability to opt-out at the time they provide their contact details. This immediately raises a consideration: have people become expectant of being asked opt-in? If they have, there could be adverse consequences of switching to an opt-out. For example, if you switch: ■ Will people accidentally tick the box, thinking they are opting in, but in effect be opting out? ■ Conversely, will people who don’t want to receive marketing, fail to tick the opt-out box (assuming it’s an opt-in) and inadvertently be saying ‘yes that’s okay’? I’d advise carefully crafting the wording, to try and avoid confusion. Clearer opt-out for ALL channels? At the moment, organisations are presented with a dilemma if they collect consent for email (and/or text) marketing, but rely on legitimate interests for post and telemarking. A statement which mixes opt-ins and opt-outs can create a muddle for people. We’ve noticed some charities have got round this by including a statement explaining they will communicate by post and telephone, with clear contact details for how to change preferences (i.e. if they want to object). Being able to provide an opt-out for ALL marketing channels, could prove simpler and clearer. But remember you wouldn’t be able to rely on the charitable purpose soft opt-in to send communications about commercial activities. Can your CRM system handle a switch from consent? Switching opt-ins to opt-out could present a technical challenge. You’ll need to be able to clearly distinguish on your database between: ■ those who previously provided their consent ■ those who were asked for consent but declined – or have subsequently opted-out, and ■ moving forward, those who were given a soft opt-in statement and have simply not opted out. ■ where relevant the distinction between the commercial soft opt-in and the charitable purposes soft opt-in When you gather new data via the soft opt-in, you’ll need to make sure it’s mapped correctly to your CRM. Some CRM systems may not have more than two statuses for each marketing channel, i.e. they may have been built with just ‘consent’ or ‘no consent’ and therefore may have no way to record a legitimate interest for direct marketing. In summary, the charitable purpose soft opt-in provides a levelling of the playing field between commercial businesses and charities. It definitely presents an opportunity some will want to take advantage of, but it will take some careful planning.

UK email marketing rules Is email marketing putting your business as risk? Hardly a month goes by without an announcement from the UK’s Information Commissioner’s Office of another business being fined for falling foul of the email & SMS marketing rules. It continues to surprise me some marketing and communications teams haven’t heard of the Privacy and Electronic Communications Regulations. They’ve been around since 2003 (far longer than GDPR) so businesses really have no excuse. Of course, there will always be some who want to try and get away with it. Under PECR there are specific rules for direct marketing by telephone, email and SMS, plus rules for cookies and similar technologies. Here I’m going to focus on email marketing. The same rules apply to SMS and to other ‘electronically stored’ marketing messages, including picture or video messages, voicemail, in-app messages and personal messaging on social media. Consent for business-to-consumer (B2C) marketing emails Unless using the exemption below, you must collect consent before you send email marketing to what are termed individual subscribers. This definition covers people who personally subscribe to their email service provider. For example people who give you their personal gmail, hotmail or btinternet email address. Soft opt-in exemption for business-to-consumer (B2C) marketing emails There’s an exemption to consent for B2C email marketing, commonly known as the soft opt-in. This can only be used if the following criteria are met: The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication AND You only send marketing about your own similar products and services. See PECR Regulation 22 and the ICO Guidance on Electronic Mail This strict criteria means the ability for charities to rely this exemption is very limited. However, the UK Data (Use & Access) Act 2025 amends PECR and introduces the ‘charitable purpose soft-opt in‘, which we’ve written more about here. Marketing emails to business contacts (B2B) The rules on consent and the soft opt-in exemption do not apply to what are termed corporate subscribers. A corporate subscriber is described by the ICO as any corporate body (an entity with a separate legal status) with its own phone number or internet connection. For example, my work email address has the domain <name>@dpnetwork.org.uk. DPN Associates pays for this service, not me as an individual. Businesses don’t legally need consent to contact me at my DPN business email address. To quote the ICO on this: “The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.” A couple of key points to bear in mind: A named business contact will still fall under the definition of personal data. Therefore B2B marketing to named individuals must comply with UK GDPR. Sole traders and some partnerships technically fall under the definition of individual subscribers, where consent or the soft-opt-in exemption would be required. The right to object Everyone has the absolute right to object to direct marketing. This applies to both B2C and B2B marketing communications. Marketing emails should always have an unsubscribe link or clear instructions how to opt-out. Businesses also need to make sure everyone who has opted-out of emails is not included again. Global email marketing If you’re a UK-based company sending marketing emails outside the UK, you’ll need to check the rules in the destination country. The rules in the recipients’ country will apply. The rules in Germany, for example, are stricter than they are in the UK. Rules differ across Europe and the rest of the world for B2C and B2B email marketing. What about UK GDPR? Once you’ve got the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on. You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis. Consent If you’re relying on consent under PECR, the ICO tells us consent must meet UK GDPR’s standards. In other words, consent should be ‘freely given, specific, informed and unambiguous’ and must be given by the individual with a ‘clear affirmative action’. One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them. Consent – are you getting it right? Legitimate Interests If you don’t have to rely on consent, your other option is legitimate interests. There is a handy table in the ICO’s legitimate interests’ guidance under Can we use legitimate interests for our marketing activities?, which sets out when consent is required and when legitimate interests may be appropriate. It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you’re going to market to. You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your business legitimate interests. We’d advise completing a Legitimate Interests Assessment (known as a balancing test) and keeping a record of this. Other areas to be mindful of Disguising a marketing message as a service message. Businesses will often need to send service messages by email for administrative or customer services purposes. These can be sent to everyone provided they only contain essential factual information for your customer. Such as confirming an order, confirming a delivery date/time, and so on. However, if there’s any promotional content, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and then PECR will apply. See Marketing and Service Messages Asking for permission to send marketing by email is deemed to be a marketing message in itself. So you can’t email people (‘individual subscribers’) to ask them to consent to marketing. ‘Hosted’ emails; this is where you use another organisation to promote your products or services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, especially in a B2C context, and valid ‘named’ consent wasn’t collected, i.e. your business wasn’t named when the other organisation collected consent. The above are all areas the ICO has taken action in the past. On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers. But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them and risking a fine.

DUA Act – next steps When will provisions under the Data Use and Access Act 2025 (DUAA) take effect and when we can anticipate guidance to be published by the Information Commissioner’s Office? The DUAA received Royal Assent on 19th June but while limited provisions came into effect immediately, the majority will be phased in over the coming months up to June 2026, with some requiring secondary legislation to be passed. To be crystal clear, the DUAA does not replace UK GDPR, the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations (PECR). The Act brings in amendments to these core pieces of legislation, much in the same way PECR was amended in 2009 with the so-called ‘cookie law’. Commencement of DUAA provisions With immediate effect: One provision which has come in with immediate effect is clarification that when responding to Data Subject Access Requests (the right of access) organisations only need to undertake a “reasonable and proportionate search”. This inserts a new Article 15(1A) into UK GDPR, and gives a statutory footing to existing case law and guidance from the ICO. From 20th August 2025 the following amendments will come into force: ■ Information Commissioner can serve notices by email This amends the Data Protection Act 2018 with a new section 141A permitting notices to be served by email. You may want to double check the email address the ICO has on file for your organisation on the register of fee payers, make sure this is regularly monitored and who/which team a notice should be immediately forwarded to. ■ Information Notices and ICO power to ask for documentation This grants the ICO the power to require organisations to provide documents as well as information when responding to an Information Notice. Other measures commencing on 20th August include requirements for the Government to prepare a progress update and report on copyright and AI. From September/October: Commencement is expected of measures on digital verification services. Around December: Commencement of main changes to data protection legislation. From January 2026 it looks like provisions such as the soft opt-in for charities, changes to the cookie rules and recognised legitimate interests will come into effect. For a top-level summary see DUAA 2025: 15 key changes ahead. ICO guidance The ICO has published a timeline of when we can expect updated or new guidance covering the changes the DUAA ushers in. Summer 2025 ■ Data Subject Access Requests – update to detailed Right of Access guidance ■ Substantial public interests conditions – a new interactive tool ■ Cookies & similar technologies (Part 1) – update to ‘cookie guidance’ and renamed ‘guidance on storage and access technologies’. Autumn 2025 ■ Draft guidance on charities use of the soft opt-in Winter (2025/26) ■ Direct marketing and Privacy and Electronic Communications Regulations guidance – update to existing guidance ■ Complaints procedures – new guidance for organisations on how to handle data protection complaints ■ Lawful basis of recognised legitimate interests – new guidance ■ Legitimate interests – update to existing guidance ■ International data transfers guidance – update to existing guidance ■ Cookies & similar technologies (Part 2) – (‘guidance on storage and access technologies’). ■ The purpose limitation principle– updated and enhanced guidance ■ Anonymisation and pseudonymisation for research purposes – guidance Spring 2026 ■ Automated Decision Making (ADM) and Profiling – updated guidance ■ Research, archiving and statistics provision – updated guidance. ■ SME data essentials – guidance More detail and other updates from the ICO can be found here: plans for new and updated guidance. Codes of practice The ICO will also in due course be producing codes of practice on edtech and artificial intelligence. There’s lots to watch out for and we’ll try our best to keep you up to date with developments as and when they happen.

Big change as marketing ‘soft opt-in’ set to be extended to charities In a hugely significant move the Government has adopted an amendment to the Data (Use and Access) Bill (DUA), which paves the way for charities to be able to benefit from the ‘soft opt in’ exemption to consent for email and text marketing. This marks a clear move to level the playing field between charities and commercial businesses. In December nineteen major UK charities joined the Data & Marketing Association (DMA) in urging the Government to make this change. The DMA estimates extending the soft opt-in to charities will increase annual donations in the UK by £290 million. What is the soft opt-in? There’s a common misconception consent is always needed for email marketing to ‘individual subscribers’ (i.e. B2C – business to consumer marketing). There’s always been an exemption available to commercial businesses, commonly referred to as the ‘soft opt-in’. Under the Privacy and Electronic Communications Regulations (PECR) this can be relied upon for marketing emails and texts if ALL of the following conditions are met: ■ A person’s contact details are collected during the course of a sale, or negotiations for a sale, of a product or service; ■ An opportunity to refuse or opt-out of the marketing is given at the point of collection, and in every subsequent communication; ■ You only send marketing about your own similar products and services (not those of a third party) This strict criteria, in particular the first point, has meant charities have been very restricted and have only technically been able to use this exemption in a commercial context. For example, when someone purchased a product from an online charity shop. But charities have not been permitted to use supporter data gathered via the soft opt-in for fundraising purposes. However, the DUA Bill has now been amended to include a section on ‘Use of electronic mail for direct marketing by charities’. This states: A charity may send or instigate the sending of electronic mail for the purposes of direct marketing where— (a) the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes; (b) the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient— (i) expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or (ii) offering or providing support to further one or more of those purposes; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication. What do charities need to consider? The Bill is still progressing through Parliament, so it’s not law yet. But once passed it will give charities a choice; stick with consent or start collecting new data using the soft opt-in. Of course, the pros and cons, will need to be weighed up. This will raise some important questions, including (but not limited to): ■ Will your CRM system be able to store multiple permission statuses for legacy data alongside new data gathered under the soft opt-in? ■ Will supporters find it confusing if you suddenly switch? ■ Will people tick a box, thinking they’re opting in, when actually they’ll be opting out? We’ve written more about this here: The marketing soft opt-in – pros and cons It has always felt unbalanced that the commercial sector has been able to benefit from this exemption to consent, but charities have not been able to. Here are DPN we’re delighted the lobbying of the DMA and Charities has paid off.

Cookie reprimand and more ICO investigations How to get to grips with your cookies and similar technologies Following warnings issued to companies operating some of the UK’s most popular websites in relation to their use of advertising cookies, the ICO has issued a reprimand to a leading betting website. It’s also announced an investigation into a company which has failed to take action to meet cookie compliance requirements. Bonne Terre Ltd, training as Sky Betting and Gaming, received a reprimand for ‘unlawfully processing people’s data through advertising cookies without their consent’. Third-party tracking technologies including cookies were dropped by the SkyBet website onto use devices, which collected personal data (e.g. device id and unique identifiers). While the site had a cookie notification (pop-up) and a consent management platform (CMP), the ICO investigation found certain cookies were dropped onto user devices before visitors interacted with the CMP. This meant visitors’ personal information was being processed and made available to AdTech vendors without the visitors’ knowledge or prior consent. In my experience this is often an area organisations often get wrong; cookies and other trackers being deployed onto user devices immediately, regardless of the CMP. The ICO also looked into whether Sky Betting and Gaming were deliberately misusing people’s personal information to target vulnerable gamblers, but found no evidence of deliberate misuse. As a result of the ICO investigation, Sky Betting and Gaming made changes in March 2023 to make sure people could reject all advertising cookies before their personal information was shared down the AdTech supply chain. Along with this reprimand the ICO has announced it will be investigating a gossip website; Tattle Life. Despite receiving an ICO warning, Tattle Life is said to have failed to engage. What is the ICO’s key concern The ICO is focusing on meeting the requirement to give users a fair choice over whether they are tracked for advertising purposes. Along with not dropping non-essential cookies on a user’s device automatically regardless of whether they have given their consent, the ICO stresses organisations must make it as easy for users to ‘reject all’ as it is to ‘accept all’. To be clear, websites can still display adverts when users reject tracking, just not ones which are tailored to the person’s browsing habits. Our 5 steps for compliant cookies So, how can we make sure we’re following the rules when we deploy cookies and other similar technologies? Here are some straight-forward steps to take: 1. Audit: Do a cookie audit. If you don’t know what cookies your website is using you can’t even start to be compliant. Run a diagnostic scan to discover exactly what cookies and similar technologies are currently deployed on your website(s). Establish what they are being used for, which are provided by third party providers and which involve the sharing of data with the third party (for example Google, Meta, etc). 2. Spring clean: Get rid of the cookies you no longer need. This might sound obvious, but you’d be surprised how often we find long-forgotten cookies lurking on websites, serving no purpose yet still needlessly sharing data with third parties! You might need to check with your colleagues which are still used. 3. Categorise: Categorise your cookies – what are they used for? Strictly necessary (essential) cookies – these are vital for the website to operate. For example, a cookie which helps keep the website secure, or a cookie which allows items to be added to a cart in an online store. Analytics/Statistics/Performance cookies – for example, cookies which allow you to monitor and improve the site performance. Functional cookies – cookies which enable a site to remember user preferences and settings, to enhance their experience on your website. Advertising/Targeting cookies – allowing visitors to be followed from one website to another so tailored advertising can be displayed, or to target the most relevant advertising on your own website. 4. Collect consent: The law tells us you need to collect consent for all cookies and similar technologies which are not ‘strictly necessary’ before cookies are dropped onto the users device. To achieve this, you may wish to select a specialist Consent Management Platform to handle notifications and consents for you, as a website ‘plug in’. There are many CMPs on the market, some of which are free. Beware that not all of them meet the UK/EU cookie requirements, so care is required when selecting the right one. If you use sub-domains on your website, deploy a high number of cookies or you want to exercise some creativity with how it looks, your likely to need a paid solution. 5. Notify website users: Provide a clear notification about the cookies and similar technologies you deploy. This should include: the cookies you intend to use; the purposes they will be used for any third parties who may also process information stored in or accessed from the user’s device; and the duration of any cookies you wish to set. There are two approaches to this. You can let the CMP handle both the notification (pop-up) and the provision of more detailed information about cookies, or you can use the CMP for the pop-up and provide a separate more detailed cookie notice. What are cookies and similar technologies? Cookies are small pieces of information, which are used when users visit websites. The user’s software (for example, their web browser) can store cookies and send them back to the website the next time they visits. The cookie rules also apply to any other technologies which stores or accesses information on a user’s device. For example, similar technologies could include, web beacons, scripts, tracking pixels and plugins. What the law says Contrary to what we often read in the papers, GDPR does not give us the rules for cookies and similar technologies. In the UK the rules are set out in the Privacy and Electronic Communications Regulations (PECR) which are derived from the EU ePrivacy Directive. The specific requirements vary by country, so think about which countries your site users visit from. Many EU countries have their own rules, all based on the same EU Directive but in the real world they have their own nuances. In simple terms, you can’t ‘drop’ a file on a user’s device or gain access to information stored on their device unless: a) You have provided clear and comprehensive information about your purposes for doing this, and b) You have collected the consent of the user. There is an exemption for strictly necessary cookies only. The cookie rules apply regardless of whether you’re processing personal data or not, i.e. these rule also apply to the automated collection of anonymised data. Some points worth noting from ICO guidance Consent needs to meet the requirements under GDPR for it to be a specific, informed, indication of someone’s wishes given by a clear affirmative action. You must inform users about what cookies you use and what they do before they give their consent. Where third-party cookies are used, you must clearly and specifically name who these third parties are and what they will do with the information collected. Users must be given control over non-essential cookies, and should be able to continue to use your website if they don’t give consent. It’s worth noting the ICO has determined analytics cookies are NOT essential and require consent. However, this is not always the case in other European countries. For example, the French regulator CNIL does not mandate the collection of consent for analytics cookies. They consider these cookies can be used under Legitimate Interests, which means they still require websites to notify users and give them the opportunity to object (opt-out). The future and alternative solutions for cookies In both the UK and in the European Union there’s a concerted desire to simplify the rules and remove the necessity for everyone to be faced with a barrage of cookie pop-ups on every website they visit. As yet however, a suitable solution has not been agreed. Instead of using third-party cookies to help target advertising, there are a growing number of contextual advertising solutions, which are less intrusive, and a growing interest in more privacy friend Edge Computing Solutions. However, there’s a sense these alternatives are not yet fully tried and tested. So we’ve seen a move by some organisations (particularly publishers) to a consent or pay model.

Yet more CC email data breaches Despite a stark warning from the Information Commissioner’s Office last year that a failure to correctly use the BCC field (Blind Carbon Copy) is one of the most common cause of breaches – the mistakes keep happening. The ICO has recently fined and issued a reprimand to the Central YMCA for sending an email to individuals participating in a programme for people living with HIV. The CC field was used, thereby revealing the email addresses to all recipients. 166 recipients could be identified or potentially identified from this, and it could be inferred they were likely to be living with HIV. Then we hear the Conservative party has reported a breach to the ICO, after hundreds of email addresses were visible to all recipients in an email communication promoting the party’s annual conference. Again a mistake in using CC rather than BCC. The latter would have kept email addresses private. And a mistake which has the potential to reveal people’s political affiliations. Last year in response to the number of breaches of this nature, the ICO published specific email security guidance to try and help organisations make sure their email communications are more secure. Such breaches can cause considerable distress and harm, especially if sensitive personal information is involved, or can be inferred from the context of the email. The Regulator provides the following suggestions: Setting rules to provide alerts to warn employees when they us the CC field. Setting a delay, to allow time for errors to be corrected before the email is sent. Turning off the auto-complete function to prevent the system suggesting recipients’ email addresses. Making sure staff are trained about security measures when sending bulk communications by email Using alternative more secure bulk email solutions. The Central YMCA and Conservative Party are not the first to find themselves in the spotlight for incorrectly using CC. Sadly, I suspect they won’t be the last. A couple of years ago, HIV Scotland was fined for failing to protect personal data. An email was sent to 105 members of HIV Scotland’s Community Action Network (CAN). Email addresses were visible to all recipients in the CC field. Although the email addresses themselves may be considered fairly innocuous, due to the nature of the email, the charity had inadvertently disclosed special category data. The ICO commented assumptions could be made about individuals’ HIV status or risk from the data disclosed. The ICO investigation found a number of shortcomings in the charity’s email procedures, including inadequate staff training and an inadequate data protection policy. The message is simple: the BCC method of bulk email is open to human error, and not advisable when sending bulk emails to multiple recipients and/or if the email could reveal sensitive information. Instead the advice is to use other secure means, such as bulk email services. This would prevent the chance of mistakes being made. The ICO says it would also expect businesses have policies and training in relation to email communications. It’s also worth checking out the National Cyber Security Centre’s useful Email Security Checklist.