CNIL (the Data Protection Regulator in France) has fined Google & Facebook for non-compliance with Data Protection legislation related to the use of cookies and other technologies on their websites.
Investigations were carried out by the CNIL on Facebook, Google & Youtube’s websites which immediately allow individuals to accept cookies however, there is no easy or quick way to decline them. Following the investigations, Google LLC has been fined €90 million whilst Google Ireland & Facebook Ireland have been fined €60 million respectively.
In addition to these large fines, both companies have 3 months to update their cookie management solutions so that users can decline cookies as easily as they accept them. If this is not done, they will incur further monetary penalties of €100,000 per day.
Which law are cookie rules in?
The rules on cookies in the EU & UK come from the E-Privacy Directive (2002/58/EC) which required all member states in the EU to embed various privacy rights related to electronic communications.
It’s embedded into UK Law as the Privacy & Electronic Communications Law also known as PECR. PECR sits alongside the UK GDPR & Data Protection Act 2018. PECR has rules on marketing calls, emails, texts and faxes, cookies and other tracking technologies, keeping communications secure and privacy around location data and directory listings.
What are the rules on cookies?
There are 3 basic rules when it comes to cookies:
- Tell people you’re using them on your website or mobiles apps;
- Explain what the cookies are doing and why; and
- Get the persons consent to store the cookie on their device.
How do we make sure our cookie consent is valid?
This is where PECR & the UK GDPR comes together! The UK GDPR requires that consent must be freely given, specific, informed and unambiguous. In non-legal terms, that means somebody has to actively choose to opt in via a positive action like a tick in a box, you must have separate options for activities such as marketing cookies and analytics cookies and people must be able to withdraw their consent as easily as they gave it.
And that’s where a lot of organisations get it wrong. You should not have to trawl through lots of settings, or default your cookie settings in your browser affecting all the websites you visit. It should be quick and easy.
What steps can your organisations take to meet the requirements on Cookies?
- Review & Evaluate: Understand what cookies and other technologies you’re using on your website and mobile apps – are they for marketing, analytics or strictly necessary to keep your website online? If you only use the latter; you don’t need to capture consent but you still have to tell people about them.
- Third Party Cookies: Make sure you identify any third party cookies – what data is being shared with the third party, what is the third party using it for and how do you tell your users?
- Retention: Ensure you understand whether the cookies are ‘session’ or ‘persistent’ – persistent cookies kept on devices indefinitely are unlikely to be compliant with legislation!
- Cookie Banner & Notice: Develop and embed a Cookie Banner & Notice onto your website and mobile apps which people can easily accept or decline the use of cookies. Remember – the cookie notice must be easy to access and updated regularly with any changes.
- Policies & Procedures: make sure someone is responsible for cookies and that they understand their roles when placing them onto your website and mobile apps. Ideally, you’d have approval processes which involve your Privacy Team and/or DPO too.
- Re-consent: Regularly run a re-consent exercise; consent isn’t valid forever so you should decide on a timescale that works for your organisation and refresh it with your users at least every 12 months.
- Cookie Management Platforms: If you can, use a Cookie Management Platform. There are lots of great Privacy Enhancing Technologies (PET’s) around that can scan your website, automate your privacy notices and capture and manage your cookie consent.
If you need help understanding the requirements on cookies relevant to your organisation, or you’re interested in a Cookie Consent Management Platform, Bridewell can help. We provide a number of a Data Protection services including consultancy on one off projects, Data Protection Officer as a Service and we partner with OneTrust who have a wide range of Privacy modules including their Cookie Management Platform.
For more information on how Bridewell’s Data Protection services can support your organisation, get in touch with our team for a confidential conversation.
Author
Aimee Bush
Senior Data Privacy Consultant