Dispelling the myths about Cookies
February 03, 2021
On 22 Jan 2021, the ICO announced the reignition of their adtech investigations. Simon McDougall, ICO Deputy Commissioner - Regulatory Innovation and Technology, said “Our work will continue with a series of audits focusing on digital market platforms and we will be issuing assessment notices to specific companies in the coming months."
One likely key area of focus is cookies. Some hints on what the ICO will look for can be learned from recent enforcement action by the French data protection regulator (the CNIL) (see our related blog here). The CNIL indicated that the fines were issued because of: failure to obtain consent prior to cookies being deployed, failure to provide insufficient information about those cookies and in one case continuing to use advertising cookies, even when the user had rejected their use.
These are not the only requirements when it comes to the use of cookies. Our objective is to answer the questions about cookies that keep coming up. Let’s start off by dispelling some of the common myths about cookies.
Myth No 1 - It’s the ‘Cookie Law’.
The EU Privacy and Electronic Communications Directive 2002 (the E-Privacy Directive) was implemented into UK law by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
PECR covers a number of things, including the process of writing information to and/or accessing information from a user's device: ...a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless ...
The term ‘cookie law’ arose in 2012 due to the fact that cookies were the technology most frequently used to write to / read from a user's device. The word 'cookie’ is not mentioned in the PECR text even once.
We use the word cookies in this blog as an umbrella term to cover all technologies in scope.
Myth No 2 - The law only applies to cookies
PECR applies to any technology that stores or accesses information on a user’s device; it is not limited to cookies. For example, it can include HTML5 local storage, Local Shared Objects, fingerprinting techniques, scripts, tracking pixels and plugins.
Myth No 3 - The law only applies to websites
The law is silent about where cookies or similar technologies are used. Websites, mobile apps and emails (where, say, tracking pixels are used to record information including the time, location and operating system of the device used to read the email) are all covered.
Myth No 4 - The law only applies to personal data
Again the law is silent about what type of data is read or written. Personal and non-personal data falls within scope.
Myth No 5 - Continuing to use a website is a valid form of consent
PECR requires that individuals consent to any process which stores or accesses information on their device. There is no definition of consent given in PECR. Instead the UK GDPR definition of consent applies; it must be freely given, specific, informed and unambiguous. Wording such as ‘...by continuing to use our site you consent to our use of cookies’ doesn’t fit the bill.
If you want to know more please get in touch, we’d love to talk with you.