The Privacy and Electronic Communications Regulations ("PECR") sit alongside the Data Protection Act 2018 and the UK GDPR. They give people specific rights in relation to the receipt of electronic communications, as well as the use of cookies and similar technologies.
A cookie is a small text file that is downloaded onto a device such as a computer or smartphone when the user of that device accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
Unless an exemption applies, PECR requires those using cookies to follow these basic rules:
- say that cookies will be used;
- include a list of cookies that will be used;
- explain what those cookies will do and why;
- list the categories of third parties who may process information stored in those cookies;
- set out the duration for which the cookie will be stored; and
- obtain prior consent from each user to the use of cookies.
PECR sets out two exemptions to these rules: the communications exemption and the strictly necessary exemption. In short, this means the rules do not apply to cookies that are only used to transmit a communication or that are strictly required to make the website in question function.
ICO's enforcement actions
In November 2023, the ICO released a statement explaining that it has written to 53 of the top UK websites, warning them about potential enforcement actions for non-compliance with PECR and UK GDPR regarding advertising cookies. In January 2024, the ICO reported that 38 out of the 53 organisations have changed their cookie banners to be compliant. Several others are working to develop alternative solutions. The ICO also indicated that they are in the process of developing an AI solution to help identify websites that adopt non-compliant cookie banners. The ICO is proactively encouraging organisations to ensure compliance promptly to avoid regulatory enforcement.
Cookie complaints and regulatory enforcement
While the rules relating to the use of cookies and similar tracking technologies in the UK and EU are long established, it is only in recent years that we have seen a targeted focus by data protection authorities ("DPAs") to crack down on cookie-related compliance. This focus can in part be seen as a response to increasing complaints from data subjects and focused efforts by privacy activists to call for stricter regulation and enforcement action
Note on cookie complaints: Cookie complaints serve as a powerful tool for individuals to exercise their rights and hold organisations accountable for their data protection practices. While individual users have the right to submit complaints if they suspect that websites are not compliant with the law in relation to their use of cookies, NOYB (the non-profit privacy advocacy organisation founded by Max Schrems) has initiated a number of impactful "cookie complaint campaigns" to date. In response to increasing complaints about cookie banners, the EU's European Data Protection Board established a Cookie Banner Taskforce in September 2021. |
We have set out a timeline of the recent cookie-related developments below, but for a more detailed overview, in particular in relation to the key cookie enforcement actions and NOYB's cookie complaint campaigns to date, please see our blog post.
A number of key themes have emerged from these recent cookie-related developments. As a result, organisations should take steps to ensure:
Spotlight on Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website and mobile app traffic and events. Following the Schrems II judgment (click here for more information about Schrems II and the invalidation of the Privacy Shield), NOYB (the non-profit privacy advocacy organisation founded by Max Schrems) filed complaints against 101 European organisations, questioning the lawfulness of transfers of EU personal data to Google and Facebook in the US, specifically resulting from the use of cookies. In response to these complaints, investigations were conducted by various European supervisory authorities into Google's data transfer practices.
In 2022, the Austrian supervisory authority was the first authority to issue a decision on Google Analytics and ruled that the storage and processing of personal data collected from cookies, in the US, constituted a breach of Article 44 GDPR, as reported here. This was later followed by France, Italy, Finland and other supervisory authorities addressing the Google Analytics issue and sanctioning the use of Google Analytics.
While the ICO did not take any action, we would have expected its position to have been consistent with the approaches taken by those European supervisory authorities referred to above. However, now that the EU-US and EU-UK Data Protection Frameworks have been established, it is unlikely that the supervisory authorities would take the same decision today.
Our key takeaways from these decisions are as follows:
- Personal data collected through cookies (e.g., cookie identification numbers) is still personal data, even where it does not relate to or directly identify specific individuals.
- While the effective implementation of the Google Analytics' IP anonymisation function allows for the pseudonymisation of IP addresses, Google's technical abilities allow it to link pseudonymised data with other identifiers, meaning that the transfer of pseudonymised data still constitutes an international transfer of personal data.
- It is not possible to circumvent the issue of data transfers to the US by entering into contracts with Google Ireland (as opposed to Google LLC) because of the intra-group sharing of data within Google (acknowledged in the Google Ads Data Processing Terms).
- The supplementary technical measures put in place by Google in addition to the use of the EU Standard Contractual Clauses was not enough to offer adequate protection of transferred EU personal data. However, with the introduction of the EU-US Data Protection Framework, this may no longer be an issue.
- An organisation is unlikely to be able to rely on a data subject providing its explicit consent to the international transfer of personal data to Google as many supervisory authorities believe that such derogation is only applicable for non-systematic transfers and cannot be relied upon as standard practice.
- Organisations should consider EEA-based alternative providers of similar solutions.
While the EU supervisory authority decisions did not entirely prohibit the use of Google Analytics, it was not clear what technical measures would be sufficient to mitigate the risks identified, meaning that many organisations stopped using Google Analytics altogether in selected UK / EEA jurisdictions.
Reform on the horizon?
Despite the Data Protection and Digital Information Bill being dropped when the Parliament was dissolved on 30 May 2024 ahead of the UK's election, organisations should still review current cookie practices in light of the ICO's effort in enforcing cookie banner compliance. In particular, organisations should ensure to include a "Reject All" button on their cookie banner, as this is a hot topic for the ICO.