Cookie D’oh!

With the news that the changes to ePrivacy law have now been delayed until 2020, now is a good time to evaluate whether your organisation’s practices are already in line with existing electronic privacy law.

The ePrivacy Regulation is likely to strengthen the current provisions of PECR in similar ways to which GDPR strengthened previous data protection law – with greater requirements for accountability, restrictions on activities which could have a high impact on rights and freedoms, and harsher penalties for contravention.

These days, thanks to the raising of the data protection profile, many people are familiar with PECR (the Privacy & Electronic Communications Regulations 2003) as it relates to electronic marketing. However, although most people are aware of (and frustrated by) annoying ‘cookie consent’ banners on websites, they may not realise that this feature also arose from PECR – or that the way that many of these banners operate is contrary to what PECR actually requires.

What does PECR say?

Confidentiality of communications

6….a person shall not use an electronic communications network to store or access information in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment—

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

What does this mean?

It means that if you are doing anything which alters or accesses someone else’s device over the Internet, you need to get their permission first. Some examples of this include:

  • Setting/updating/referencing cookies when someone visits your website
  • Putting tracking code/content in marketing emails to find out whether they are being opened
  • Collecting data from devices which have your app installed

There are exceptions to this – if access or alteration is strictly essential in order for the service to function or for a feature requested by the user to be enabled, then consent is not required – although a clear explanation of the access/alteration is still necessary.

How does this relate to website cookies?

Website cookies are like ‘virtual stickers’ which are placed on your device. They allow web servers to identify you as a unique user of the site, or identify your specific activity across multiple websites. Each ‘sticker’ (cookie) will have a reference number in it which is unique to your user profile.

When you accept a cookie, you are allowing the server to send you this file which is then stored on your device. When you visit other pages on the site, or other sites associated with the cookie; the server looks at the cookie to figure out which user you are.

This can be used for a number of purposes, some benign and innocuous, others more intrusive and disturbing.

Cookies themselves are text files which don’t actually do anything to your device, but because they are placed on your device and accessed by web servers, they fall within Regulation 6 of PECR.

Email tracking

Another feature covered by PECR is the use of ‘web bugs’ or ‘beacons’ for marketing email analytics. These are usually tiny image files which are loaded by your email software from a remote server when an email sent from a bulk mailing platform is opened. The remote server keeps a log of where the requests to load the images originated from and this allows the sender of the email to track whether emails have been opened, by whom, on what type of email software or device, and approximately where (geographically) the email recipient is. This data is used to measure the success of email engagement across campaigns, identify non-responsive recipients, and profile individual recipients.

Because this approach places an image file on the recipient’s device, it also falls under PECR Regulation 6, and therefore would require consent in order to be done lawfully.

What kind of consent?

It’s worth noting that this is consent for ‘allowing cookies or other tracking technologies to interact with your device’, which is a different activity to ‘processing personal data’. Setting a cookie or a web bug is not processing personal data in itself and there is still some uncertainty as to whether the definition of ‘consent’ in PECR has been updated by the GDPR to mean ‘informed, freely-given, specific and unambiguous’. At the very least, the end user must have been presented with clear information and a genuine choice before cookies or web bugs are set or accessed.

If the purpose of the tracking is to generate data for personalisation, analytics, or profiling then personal data will be processed eventually. If the tracking, analytics or profiling are for marketing or advertising purposes then it is likely that the only lawful basis available for this processing will be GDPR-standard consent.

Placing cookies or trackers before asking the user’s permission is a breach of Regulation 6, as is making statements such as “by continuing to use this site, you consent to…”. A positive indication of consent is required before any non-essential cookies or trackers can be enabled.

What does this mean for your organisation?

Based on industry research, it is very likely that your website and email marketing are currently not compliant with PECR. Although so far this has not been a significant risk in terms of enforcement; the use of tracking technologies is become more of a concern to the general public. This means that even though regulatory action against breaches of PECR Regulation 6 are unusual; the possibility of adverse news coverage or a security breach involving this kind of technology has the potential to cause problems for your organisation even before the ePrivacy Regulation is enacted.

To manage this risk and prepare for changes in the law, Protecture recommends you plan the following set of actions for your organisation over the next two years:

  1. Conduct a cookie audit of all of your websites to find out which cookies and trackers are being set at the moment
  2. Identify which of these cookies and trackers are critical to the function of the site, and which are ‘nice-to-have’
  3. Document what each cookie or tracker is for, and any privacy implications that it may have (for example, advertising network cookies allow detailed profiles of individuals’ web use activity to be built, from which highly confidential information can be inferred)
  4. Determine whether your website’s current technology allows the cookies and trackers to be disabled unless a positive indication of consent is received
  5. If not; ensure that the website features clear and easily-found information about what cookies and trackers are set, for what purposes and how the site user can block or clear them.
  6. Include contract clauses with your web hosting or developers which require them to provide user-friendly documentation on any cookies or trackers which they have configured on the site.
  7. Determine whether email tracking is enabled on your mass-emailing platform.
  8. If so, ask your platform provider whether tracking can be disabled by default and selectively enabled for individual recipients.
  9. If this feature is not available, consider whether the risk of complaint or enforcement is sufficient to switch to a provider that allows this level of control.
  10. Ensure that when individuals sign up to receive tracked emails, they are provided with full and clear information about the tracking, and how to disable it.
  11. Set aside budget and resources in organisational planning to adapt to the potential strengthening of ePrivacy enforcement in 2020.