What does the Cookie Law mean for Marketers?
Cookie law has seen a lot of changes recently, although some people would argue that they’re not really changes, just tightening up the rules slowly. So we asked John Mitchison, Director of Policy and Compliance at the DMA, to explain the legal side of things. As well as the blunt facts of what the law says, John shares some examples of how you can work with the law to get the best practice out of it.
- What are cookies?
- Cookies and the GDPR
- The GDPR and PECR
- Consent for Cookies
- What does consent look like in practice?
- When is a cookie not a cookie?
- Enforcement of the Cookie Law
- The e-Privacy Regulation
- What about Brexit?
What are cookies?
The proper definition of a cookie as we use it in websites and marketing and emails is it’s a small text file created by a website, stored either temporarily or permanently, and it provides a way for a website to recognize and keep track of your preferences, which all sounds pretty straightforward. And of course, everybody’s used to getting cookie notices, and information about cookies when they visit websites. This is actually an example of a cookie from Amazon:
session-id-time 954242000 amazon.com/ session-id 002-4135256-7625846 amazon.com/ x-main eKQIfwnxuF7qtmX52x6VWAXh@Ih6Uo5H amazon.com/ ubid-main 077-9263437-9645324 amazon.com/
It stores quite a lot of information about it, there’s a personal code in there, a session ID, and some other stuff.
Cookies and GDPR
So when we’re thinking about cookies, your natural inclination is to think about GDPR, the General Data Protection Regulation, which relates to all personal data. But the GDPR doesn’t say anything particular about cookies. GDPR just focuses on personal data. So you have to ask yourself “Is a cookie a piece of personal data?”, and if it can identify an individual, then it is going to be classified as personal data. In almost all cases, I think cookies could be described as personal data, they all come back to having some sort of identifier in there that focuses on an individual, whether it’s an IP address, or something else. So you are going to have to take GDPR into consideration. And then the first thing that you have to think about in that instance, is that you have to decide what legal ground is best for processing that little piece of personal data. And of course, with most things when it comes to GDPR, or when it comes to marketing and GDPR, the two legal grounds that you have to choose from are Consent and Legitimate Interest.
GDPR and PECR
GDPR has a place, but the primary piece of legislation to think about with cookies is PECR. PECR stands for the Privacy and Electronic Communications Regulations. And it’s the UK implementation of the e-Privacy directive from 2003. It doesn’t specifically mention cookies, just like GDPR, but it describes the sort of things that cookies do. And it covers not just cookies, but things that work a little bit like cookies, okay, so anything that you might describe as a beacon or a tag, or even device fingerprinting, or anything like that would come under the heading of cookies and similar technologies as it has come to be described. And the PECR legislation applies when anybody stores information on a user’s device, or gains access to information on a user’s device. So the classic use of a cookie is when you go to a website, the website puts a cookie on the user’s browser, so that it can recognize that person when they come back. So obviously, by putting a piece of information there, and then reading it when that person returns to the website, that is exactly what PECR is talking about there when it’s talking about reading or placing information on a person’s device. And PECR says you have to have consent. And the level of consent required is the level of consent that is described in GDPR. SO, that means it has to be specific, it has to be in the form of a positive action and it has to be unambiguous, so you have to describe the kind of thing that the cookie does. How it will be stored, and if it’s going to be shared with anybody and other information as well. But really, you have to consider the fact that people might not really understand cookies, and explain to them exactly what’s going on.
Consent for Cookies
Now, I said that you need consent. And you do need consent for pretty much all cookies except those that are strictly necessary. And when the legislation describes “strictly necessary”, it’s quite a narrow definition. So if your cookie is there for the purposes of aiding the transmission of information or for some sort of security purposes, or if it’s for a service that a person has specifically requested, then you don’t need to get that sort of opt-in level of consent. But for anything else you do, and that covers pretty much everything that we do with cookies. So, whether it’s recognizing somebody when they come back, saving their preferences, personalizing the website, or even something as benign as analytics, all cookies of that kind are going to require consent. And it’s a GDPR level of consent; you have to explain what the cookie does, how long it will be stored, how it will be used and shared. Analytics is not described as strictly necessary. It’s obviously a very beneficial thing. But your website would work without that analytics cookie, and therefore, it’s not strictly necessary.
What does Consent look like in practice?
If you want to see an example of a fully compliant cookie application, I always use the ICO’s website, this is possibly the simplest cookie banner that you could imagine.
Now, this is pretty much an example of how not to do it. So, you can see here the Daily Mail’s page.
I’ve got the cookie banner at the bottom, which is pretty much weighted towards me saying “yes”. that green “got it” button is sticking out there and if I want to change any settings, obviously I have to go to cookie settings. And if you do follow that through, it’s a very complicated process of selecting from hundreds of different people that the data is shared with whether or not you want to share them. So, I can imagine that almost everybody just clicks “got it” and carries on reading their article.
But the most important thing here is, I use a little utility on my browser called Ghostery, and Ghostery tracks any cookies that are put down and you can choose whether to accept them or get rid of them.
And you can see here that even before I touch that cookie banner so before I’d said “yes” or “no” to any cookies, this website had actually placed nine cookies on my browser before doing anything so it makes a little mockery out of me having the choice of whether they’re there, because they were put there before I even said “yes” or “no”.
Now here’s an example that is quite easy.
You’ve got everything in one place. You can choose to just click one of the three buttons there “Use necessary cookies only”, “Allow the selection”, which at the moment is set to necessary only or “Allow all cookies”. You can pick and choose exactly what you want there. And if you want more details, there’s a little drop-down at the side there. So, that’s quite good. And I’ve seen that on a number of websites recently.
This is an excellent example, I really like this.
I’ve got this in two stages, you’ve got the little banner that comes up at the bottom of the website. And you’ve got the three options. Again, you can customize the cookies, or you can “disable all” or “allow all”, if you go into the Customize section, you can see there that you’re given a little bit of a description about each cookie and what it does, and a choice of where to put the slider. And at the moment, all of those sliders are set in the negative position, which is what you’d expect in a fully-compliant consent arrangement.
This is another, similar kind of thing.
This seems to be using the same kind of software as the ICO. And again, sliders in the “off” position. They’re using just marketing and analytics cookies on this particular site.
This isn’t a great example, but I sort of like it.
Because when you go to the cookie settings, it gives you quite a lot of information about each individual cookie, what’s going on, and then a choice of what to do about it. Obviously, the initial choice about whether to accept or decline the cookies is not great, because you’ve just got the “accept all the settings”, you haven’t got the decline option. But it’s quite interesting for those people, probably like me, who like to read a little bit about what’s going on behind the scenes.
When is a cookie not a cookie?
Now, it was just a week or so ago, this article came up on the BBC website about “spy pixels” in emails.
And it’s a little bit sensationalist. I mean, to call it a “spy pixel” suggests all kinds of nasty things that are going on. But really, what they’re identifying here is the use of the little invisible GIFs that are included in emails, open tracking pixels, whatever you call them, that basically just let the sender know a little bit about what’s happened to their email, whether it’s been opened or read, or whatever.
Now, as I said, a cookie isn’t just always a cookie, it’s not always just that little bit of information that we saw earlier on. Something like an email pixel is a similar technology. And therefore it does fall under these rules, it does technically mean that you would have to ask separate permission to include a tracking cookie in any emails that you send. And I know that this is very, very difficult, I know that there are a lot of email service providers that include this as just part of the service that they offer. It’s difficult to turn off and I don’t know of any service provider that would allow you to turn it off on an individual basis, so that some people got the pixel and some people didn’t. But I’ll come on and talk about how to deal with this in just a sec.
Enforcement of the Cookie Law
But the DMA has also produced a guide to cookies, which has a number of examples in there. And it’s a bit more of a how-to guide than a how-not-to guide.
The e-Privacy Regulation
Now, I just want to talk a little bit about the e-Privacy regulation. The e-Privacy regulation has been in the pipeline for quite some time now. And originally, it was meant to come into force at the same time as GDPR, because GDPR and the e-Privacy regulation work hand in hand in a number of instances. But it’s taken a lot longer to get it through the European legislative process than we expected. So the e-Privacy Regulation, which is still under negotiation at the moment, will replace the current e-Privacy Directive. And in the UK, that directive was implemented as the Privacy and Electronic Communications Regulations.
Now to get legislation into the EU, there are basically three bodies; the European Commission, the Council of the European Union and the European Parliament, and they come up with a draft text each, and then they basically lock themselves in a room and there’s this big horse-trading session. So they take the three drafts of the text, and they go into a negotiating session where they’ll trade one thing for another and come out with a final version. Now, as I said, this should have been implemented way back in 2018, it’s been dragging on for quite a while. We finally have the three versions now, and they will be able to start their three-way negotiation, which is called tri-logue. And the final version of the new e-Privacy will likely be ready by the end of the year, and then there will be a two-year implementation.
What about Brexit?
Now, the thing about something like e-Privacy is, the E stands for European, and the UK is no longer in the EU. So we will have to see how the UK Government deal with this. We haven’t quite received a full thumbs up on our data adequacy agreement. When we left the EU, the UK wanted the EU to recognize the fact that its data protection legislation was of an equivalence to that in the EU. And therefore, we could just continue exchanging data between the UK and the EU, unhindered. They’re still going through that process. But it’s looking quite positive at the moment, there are a few people that are trying to throw a spanner in the works by saying that the UK isn’t really the same as the EU. But I think I think the probability is that we will get that adequacy decision.
Who is John Mitchison
John Mitchison is Director of Policy and Compliance at the DMA. Before his 12 years working at the DMA, managed large data campaigns and daily data clients for Axiom. Before that, he worked at The Daily Telegraph doing marketing campaigns using their data, which was very interesting.
Who are the DMA?
The DMA is the largest marketing and advertising group in Europe. We have about 1000 members split pretty much equally across brands, agencies, and suppliers. They support their members with a number of products and services. They base everything that we do around the code of practices, which all of our members have to show that they come up to the standard of. They produce best practice guides, content and thought leadership from councils, which are made up of specialists from the membership.