Using cookies – why should you bother to get match fit?

April 2021

In 2019, with new guidance, the ICO confirmed GDPR level consent is required for the placing of cookies (unless ‘strictly necessary’). In the same year, the ICO launched their investigation into AdTech and Real Time Bidding.

With the pandemic the data protection focus has been elsewhere but now, things are moving again:

  • French CNIL fined Google and Amazon fined €135m for failing to obtain consent
  • The ICO restarted its investigations into AdTech
  • The Spanish DPA fined Iberia for failing to allow for the option to reject cookies

Yet, in early 2020, a research study by from MIT/UCL/Aarhus Universities indicated only 1 in 10 UK websites were compliant!

What does this all mean, and should we care?

The cookie basics

Does your website have a cookie pop-up? Do you have a clear Cookie Notice explaining how you use cookies and similar technologies? Are you collecting consent for the cookies you use?

We’ve all seen the deluge of cookie notifications, some are strictly compliant, others aren’t, and plenty are downright confusing.

Not only that, but should we be thinking about more than just cookies? What about pixels, scripts, fingerprinting and plugins?

What does ‘good’ look like?

In the ICO’s updated Cookie Guidance published in 2019, the Regulator confirmed GDPR standard consent is required for the placing of cookies or similar technology, unless ‘strictly necessary’.

A lot of information can be captured with a cookie including IP addresses and device IDs. These are deemed to be personal data. The guidance says the following;

  • users should take a clear and positive action to consent to non-essential cookies
  • pre-ticked boxes or sliders defaulted to ‘on’ shouldn’t be used for non-essential cookies
  • non-essential cookies shouldn’t be dropped before you gain consent
  • websites and apps should tell users clearly what cookies will be set and what they do
  • it must be clear what third party cookies you use

In short, the ICO says people should be given control and it isn’t sufficient to tell them to go and change their browser settings.

‘Strictly necessary’, is strictly interpreted

Consent is not required for cookies that are ‘strictly necessary’, but these should be essential to the service you’re providing. The ICO has deemed analytics cookies to be non-essential.

(Interestingly there’s some discrepancy across European regulators on this point, the French CNIL does not take such a strict interpretation on analytics).

Where’s the harm?

In the same guidance document, the ICO also states:

The ICO cannot exclude the possibility of formal action in any area. However, it is unlikely that priority for any formal action would be given to uses of cookies where there is a low level of intrusiveness and low risk of harm to individuals.

This sentence has been interpreted by some to mean analytics which cause low level intrusiveness, where a risk assessment has taken place and where measures have been taken to minimise harm, may be considered acceptable. Confused yet?

Where does Adtech fit in?

Also in 2019, the ICO launched a review into adtech and Real Time Bidding. This was designed to understand how the complexity of the adtech ecosystem presents a threat to the rights and freedoms of individuals.

It was particularly focussed on the compliant use of cookies – particularly 3rd party cookies. This review was paused during the pandemic but is up and running again now.

The more third-party cookies you deploy and the more sophisticated technology you use, the greater the risk of complaints to highlight your non-compliance.

In reality, though, the adtech cookie show has moved on. It’s likely 3rd party cookies will disappear by themselves as the browser companies stop supporting them. Google’s announcement to stop supporting third party cookies on Chrome in 2022 sounded the dead knell.

What do the public think?

Inevitably people have mixed feelings about cookies. There is increased public awareness about how we are tracked through websites, and some people are becoming savvier about how their data might be being used and shared.

Anyone can use a cookie scanner and check what cookies your website uses, and check whether you’re being open and upfront about what you do or not.

Equally there are others who really couldn’t care less.

What steps to take

Practically speaking it makes sense to share with consumers which cookies are deployed as well as what they are used for. Anyone without a cookie banner now needs to get their house in order. How rigorous your cookie notice is, is a matter of judgement, as well as a careful risk assessment.

In reality, businesses often find it hard to get organised with cookies because no one team manages them. In the short to medium term here are some pragmatic actions:

  • Understand what cookies are being placed on your website(s) – are they still used?
  • Make sure you have one central point to co-ordinate the management of cookies across the business
  • Categorise your cookies, so you can separate your strictly necessaries from your non-essentials
  • For any 3rd party cookies or other technologies make sure you have some oversight over what happens to the data that is captured from your site
  • For each cookie, review the retention periods and decide how long they should be kept for – some are defaulted to a surprisingly long time
  • Make sure your cookie notice is clear and up to date
  • Decide what level of technology is needed to manage your cookie consent – there are plenty of free consent platforms for small businesses so price is no reason not to

In conclusion providing no help for consumers to understand what cookies are used should be a thing of the past. How you interpret the ICO guidance is a matter of judgement and a risk assessment. So long as you carry out that assessment and are able to explain your decisions you are in a stronger position than if you did nothing.

EU ePrivacy Regulation: a significant step forward?

February 2021

Four years on from the first draft of the proposed ePrivacy Regulation and an impressive fourteen drafts later, is the end in sight?

This month saw a significant leap forward as the Council of the European Union reached agreement on a mandate for negotiating the final text with the European Parliament and European Commission.

Okay, ‘leap’ is probably being too dramatic! A significant milestone yes, but it’s still likely to take months before a final version can be agreed and adopted. And there’s plenty of room for the text to deviate from where we are now.

What is the ePrivacy Regulation?

Just to recap, the purpose of the ePrivacy Regulation is to overhaul the EU ePrivacy Directive of 2002 (and subsequent amendments) . This governs the processing of personal data and privacy with regard to electronic communications.

The current Directive, by its very nature is interpreted rather differently across EU Member States and gives us a myriad of rules to navigate if we want to communicate across Europe.

For example, the UK’s own law derived from the EU Directive is called the Privacy and Electronic Communications Regulations (known as PECR) and has different rules for electronic marketing than you’d find in Spain or Germany.

The aim of the new ePrivacy Regulation is to update the rules to reflect significant technological developments and to align these rules across the EU, alongside GDPR. No small task!

As a Regulation rather than a Directive, the hope is for harmonisation – the same rules across all EU Member States. Leaving less wriggle-room for individual Member States to interpret the rules in differing ways.

At a top-level, this complex new legislation sets out to cover areas such as:

  • Electronic communications to individuals (e.g. email, SMS and telephone marketing)
  • Protection of information on end-users’ devices (e.g. the use of cookies and similar technologies)
  • Electronic communications metadata, including geo-location data
  • Machine-to-machine communications

I remember reading concerns raised that many Data Protection Officers are unlikely to have sufficient knowledge and skills to understand the legislation fully due to it’s complexity.

Some believe this complexity means full agreement will be impossible to achieve, and that either the Regulation is doomed or it will emerge with a number of areas where individual Member States can still go their own way.

When could the ePrivacy Regulation be enforced?

Once finalised and adopted, it’s proposed there will be a two year transition period (like there was with GDPR) to give businesses time to prepare and comply with the new rules.

So, IF the Regulation was to be finalised later this year, it wouldn’t be enforced until 2023.

What about Brexit?

The UK, in theory, won’t have to adopt this EU Regulation. But in practice may decide it makes sense to implement it into UK law, so there is a parity with European counterparts.

It’s worth noting the Brexit trade deal commits both parties to upholding high standards of data protection.

Ultimately we’ll have to wait and see what stance the UK takes. Either way, a new EU Regulation would still impact, for example, on organisations that send electronic communications to EU citizens.

What else has been happening?

In an attempt to keep pace with the rapidly evolving tech landscape, the EU has already started to implement elements of the ePrivacy Regulation into other laws.

For example, since December 2020 the European Electronic Communications Code has required EU Member States to amend their telecommunications laws by expanding the definition of “”Electronic Communications Services” in to include so-called “Over-the-Top-Services” such as messaging services – such as WhatsApp or Zoom.

What are the next steps?

The Council of the EU, the European Parliament and the European Commission will now start trialogue negotiations to agree the final text.

The Council’s version of the current draft ePrivacy Regulation text can be found here and the press release here.


Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service.

UK Data protection and ePrivacy law post Brexit: Q&A

January 2021

To put it simply Brexit has not altered our general data protection obligations and responsibilities. The rules we need to abide by are essentially the same, but there are some aspects we need to be aware of (such as data transfers and representatives) and some details we should watch out for over the coming months.

Here’s a quick Q&A to answer some recent questions I’ve been asked:

1. Does GDPR still apply in the UK?

The ‘EU’ GDPR no longer applies in the UK, BUT…

a) GDPR has been retained in UK domestic law, renamed as ‘UK GDPR’. This means the key principles, rights and obligations remain the same. The UK now has the independence to keep this under review.

b) If your organisation offers good and services to EU citizens (or monitors their behaviour) EU GDPR will still apply to your handling of EU citizens data. This is because the territorial scope of EU GDPR extends beyond the European Economic Area.

2. Has the UK Data Protection Act 2018 changed?

The UK DPA 2018 remains in place and sits alongside UK GDPR. The legislation has been adapted to reflect the UK’s status outside the EU. A Keeling Schedule for the UK GDPR shows the amendments.

3. What about data transfers from the UK to the EEA, or elsewhere?

The UK Government says data transfers from the UK to the EEA can continue unrestricted for the time being.

Transfers to other countries may be subject to restrictions under UK GDPR. This essentially means, as you would have done in the past, you need to consider whether additional safeguard mechanisms are required. For more information see the ICO’s guidance on International Transfers after UK exit.

4. What about data transfers from the EEA to UK?

Outside the EU the UK becomes what is called a ‘third country’ and is subject to data transfer restrictions. However, under the Brexit trade deal, agreement has been reached whereby the UK will not be considered a ‘third country’ for up to four months, potentially extended to six months.

This allows more time for the European Commission to consider whether the UK can be granted ‘adequacy’.

If the UK is granted adequacy, transfers of data from the EEA to the UK will continue to flow freely with no requirement for additional safeguards – such as the use of EU Standard Contractual Clauses (SCCs). For more information see Brexit Deal and Data Transfers.

The ICO’s guidance on International Transfers after UK exit also covers considerations for transfers of personal data from non-EEA countries to the UK.

5. Do we need an EU Representative?

If you offer goods and services to EU citizens (or monitor their behaviour) you may need to appoint an EU Representative for data protection. If you are not sure if you fall under this requirement see Brexit: Do we need an EU representative?

6. Do we need a UK Representative?

It’s worth noting UK GDPR, like EU GDPR, has this extra territorial scope too – so if your organisation is based outside the UK, but offers goods and services to UK citizens (or monitors their behaviour) you may need to appoint a UK representative, if you don’t have an establishment within the UK.

Contact us if you would like to find out more about our UK Representative Service.

7. Do we need to update our privacy information or other documents?

You should update your privacy notices, data protection policies and processes to reflect changes in the UK data protection regime. In particular, you may need to change details in relation to international transfer arrangements.

It would also be a good idea to check any Data Protection Impact Assessments where international transfers are relevant.

If adequacy status is not granted, you may also need to review the data provisions in your contracts with EEA businesses. (Many organisations have already planned for the worst-case scenario and this is something the ICO still advising organisations to do).

8. Have marketing and cookie rules changed at all?

The simple answer is no. Marketing and cookie rules in the UK are governed by the Privacy and Electronic Communications Regulations (PECR). Based on an EU Directive these were enacted into UK law in 2003 (along with subsequent amendments), so remain in place. Recent changes made to reflect the UK’s status outside the EU are shown in a Keeling Schedule for UK GDPR.

If you target EU citizens online then country-specific marketing and cookie laws still apply.

9. Will the UK adopt the EU’s ePrivacy Regulation?

Remember this! Back in 2017 the first draft of a new ePrivacy Regulation was published, with the aim of bringing in updated and harmonised rules in tandem with GDPR (revising and expanding the scope of the EU ePrivacy Directive).

Fast-forward four years and the debate still continues, and an agreement has yet to be reach. The as yet an unanswered question is; will the UK adopt this new EU Regulation as and when it is agreed?

10. Is the UK’s data protection regime likely to diverge?

In theory the UK now has the independence to amend data protection legislation. However, the Brexit trade deal specifically mentions the EU and UK’s commitment to ensuring a high level of personal data protection and a willingness ‘to work together to promote high international standards’.

Furthermore, if the UK makes any changes to its data protection regime in the coming months, including Privacy and Electronic Communications Regulations, the arrangement whereby the UK is not yet considered a ‘third country’ for data transfers will automatically end and restrictions on transfers will be imposed. 

It seems unlikely the UK will want to rock the ‘data boat’ right now, if it hopes to be granted adequacy by the European Commission. What will be interesting, is the fallout if the EC does NOT grant adequacy to the UK. My hope is this will run smoothly, but until the ink is set, we just don’t know.


Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service.

Seven Step Ad Tech Guide from DMA and ISBA

May 2020

The DMA and ISBA guide for marketers and advertisers to help navigate through the complexity of handling personal data in Ad Tech.

This guide was written in response to the ICO’s Ad Tech Update which looked into how data was used in auction style Real Time Bidding.

The ICO had identified a number of concerns relating to the protection of the rights of data subjects through the use of Real Time Bidding (RTB) in the programmatic delivery of digital advertising.

As background for the uninitiated, the majority of digital advertising is delivered programmatically (through automation) via a variety of methods including Real Time Bidding (RTB).

RTB is defined as the delivery of programmatic advertising by a real-time auction method. To support this process, there are a myriad of technology solutions (Ad Tech) providers who enable advertisers to identify and target recipients of advertising delivered in real time.

The guide written in collaboration with the DPN and PwC UK, aims to support UK businesses actively engaged in the programmatic delivery of digital advertising to ensure they protect the rights of data subjects.

It is a practical guide to the seven steps participants can take to ensure they adhere to the legal requirements and demonstrate their understanding of the regulator’s concerns. The DMA and ISBA were able to consult with ICO during the development of the guide.

It’s designed as a reference with clearly defined sections allowing readers to read the whole document or dip in as the need arises. Where suppliers are mentioned these are noted as examples and are not recommendations.

This guidance is divided into seven clear steps:

1. Education and Understanding – a comprehensive introduction to cookies and programmatic advertising with a detailed glossary of terms.

2. Special Category Data – the ICO highlighted the importance of treating special category data with care and this section steps you through its definition and usage.

3. Understanding the Data Journey – a key challenge is being able to track how data is captured and who processes it. This section explains how to complete a Record of Processing Activities as well as introducing the IAB’s Transparency and Consent Framework.

4. Conduct a DPIA (Data Protection Impact Assessment) – the ICO noted the limited use of DPIAs in Ad Tech. This section sets out to explain what it is, when to use it as well as some pointers to what questions to ask.

5. Audit the Supply Chain – the ICO highlighted that you cannot rely on contracts to provide assurance around the use of personal data. This section provides audit check lists and questions you need answered when auditing suppliers.

6. Measure Advertising Effectiveness – the ICO have queried whether it’s necessary to use all the data collected through Ad Tech platforms. This section provides links to reference materials for improving insights into advertising effectiveness to allow for a proportionate approach to using personal data.

7. Alternatives to Third Party Cookies – what does a post third-party cookie world look like? This section provides some suggestions about alternative methods of targeting including the adoption of contextual targeting. It also provides references to some industry initiatives which are exploring different ways of targeting in a less intrusive manner.

See the full 7 Step Ad Tech Guide