GDPR has raised our awareness of the need publishing information relating to privacy
Such a policy is likely to be one of several legal notices on a website – partly because a website is accessible to all and partly because it is website users who would like to think that they browse in anonymity whose personal information is collected, used and stored.
There was so much hype just before the DPA came into force about every website needing to meet the requirements of the GDPR that the actual law (and obligations) were overlooked.
Before GDPR and DPA, cookies represented the technology that infringed privacy on the Internet.
In many ways, they still are, since many people equate them to a mysterious tracking technology that requires deep knowledge of browser settings to disable them – usually at the cost of no longer being able to use a website’s functionality.
Cookies are simply small text files that are placed on your computer or Internet browsing device in order to store information that later can be retrieved. They allow data that is generated or collected on one page to be used at a later time.
Cookies were an important technological milestone in the development of the Internet because through use of them, websites changed from being mostly collections of static information pages to being interactive applications that responded to the visitor’s requirements.
But there was a backlash against their use by visitors on the grounds of an infringement of privacy, particularly where the content of the websites the visitor browsed was of the sort that the visitor would not want anyone to know he or she had sought out.
Before cookies, visitors were not so aware that what they looked at was recorded (although it always has been through webserver logs). The Internet seemed to be a private domain where visitor’s actions were anonymous.
When it became obvious that cookies were the primary technology that removed anonymity (particularly across websites), visitors became more interested in whether they were being used, and if so, exactly how.
Cookie policies were created to reassure technologically and privacy minded visitors, not because of the introduction of any law, but because some visitors wanted to know.
The law relating to cookies
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (the PECR) gives the requirements for the user to control their use.
The DPA (incorporating the GDPR) gives the requirements for disclosure.
Most of the PECR relates to telephone communications, giving the public the right not to receive nuisance telephone calls.
A very small section, Regulation 6 relates to confidentiality of communications - technology that places or retrieves information on someone else’s device.
[…] a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the [following] requirements […] are met:
The requirements are that the subscriber or user of that terminal equipment:
has given his or her consent.
But this is not a requirement:
where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
And it is not necessary to ask more than once:
Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements […] are met in respect of the initial use.
The first thing you should note is the exception. There is no legal requirement to disclose use of, or to gain consent to use any cookie that is “strictly necessary” for the operation of the website.
The issue for the website owner is that some of the words or phrases in the law are subject to interpretation and “strictly necessary” is one of those. What is strictly necessary is not entirely clear, and in theory, could change over time.
If the cookie is not strictly necessary then the visitor must give consent to it.
In 2003, when the PECR was drafted, “consent” could be given implicitly (by continuing to browse a website) or could be given explicitly (for example, by clicking on a button stating “I agree”). Since the DPA 2018 came into force, consent is assumed to have the same meaning as under the DPA, which is explicit only. In other words, the visitor must click on a part of the screen (such as a button or a check box) to give consent.
Note that the obligation is not to give the visitor the opportunity to refuse each one individually, or in groups such as those related to marketing. It is equally valid to give the opportunity to accept cookies individually, in groups or all together.
The PECR states that the website visitor must be:
[…] provided with clear and comprehensive information about the purposes of the storage of, or access to, that information
Again, this applies only to cookies that are not strictly necessary.
There is an issue in deciphering what “clear and comprehensive” means. Certainly, fine technical detail would be comprehensive. But we would argue that the average visitor, technical detail about whether the cookie is persistent or not (in the meaning of persistence as it relates to cookies) is not clear. Nor does information about persistence relate to the purpose of the cookie. Instead, we would argue that to satisfy the legal requirement, a website owner simply needs to state in broad terms that cookies are used and give a good non-technical explanation of why they are used.
The DPA possibly also influences what information you must disclose to visitors.
The disclosure requirements of the DPA are that you tell the visitor what personal information is being “processed” (collected, stored or otherwise acted on), for example, information relating to the visitor’s political views, and which legal basis you do so on (there are six possible bases, but in practice, three are most likely to be used).
The DPA does not oblige you specifically to do anything in relation to cookies, nor to separate information stored in or retrieved from cookies from any other type of information processed.
To repeat, the requirement of the DPA (and the GDPR) is disclose what information is processed and the basis on which it is.
There is no requirement to disclose that cookies are used, and no requirement to disclose what information is stored in cookies specifically.
For example, the following statement would satisfy the legal requirements of the DPA:
We process information relating to your political views on the basis of Contract, that is that our processing is necessary to fulfil your request that we enter into a contract with you.
For the DPA, it doesn’t matter whether that information is collected and stored in a cookie or whether some other technology performs the same function.
How to comply with the law
Your obligation is to comply with the law, specifically the Data Protection Act and the Privacy and Electronic Communications Regulations.
You have no legal obligation to comply with the recommendations of other government bodies (such as the Information Commissioner’s Office or ICO) or of any other governing bodies such as professional associations.
Nor is there a legal obligation imposed by Google, Microsoft or any other search engine. Having a cookie notice on your website is not a must to be included in their search results.
There may be good reasons to comply with the requirements of other organisations, but there is no legal requirement.
We take the view that compliance in respect of cookies is best managed by:
The ICO’s own website uses a mechanism for consenting to cookies that could be used to give inspiration for your own. Because the ICO attempts to achieve “best practice”, what it does and what it advises often goes beyond legal requirements, but it does should certainly be considered.
Within your privacy notice you should explain what information your organisation processes.
You might also link to the privacy policies (or cookie notices) of third party applications that you use.
One potential issue with explaining how any third party cookie works is that the third party might change what the cookie does at any time and not inform you. The information on your website would be wrong, but because it is in such granular detail, might be convincing to a visitor. We would argue that it is worse to provide detailed inaccurate information than to provide less detailed but factually correct information.
You might also link to the webpages of browser software that explain how a browser user can disable cookies entirely. Or you might recommend and link to software organisations that provide privacy plug-ins that automatically disable cookies that it recognises are not necessary for the performance of the website.
Your cookie notice
Hopefully you now understand your legal obligations in respect of cookies.
A separate cookie notice is not a legal requirement. Whether you want to publish one is a separate consideration to the law.
Our approach would be not to publish a separate one, but instead comply with the law through your privacy notice and by providing a mechanism for opt-out instead.