Kate Brimsted and Tom Evans summarise the ICO’s recent cookie guidance and report on AdTech which set out some lessons and warnings for website owners in general and the online advertising industry in particular
The interaction between the General Data Protection Regulation (2016/679) (the “GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (“PECR”) has been a legal conundrum for some time now.
These documents appear to signal that any notion of a regulatory enforcement amnesty pending the arrival of a new EU ePrivacy Regulation should be discounted - cookies are being singled out as “an increasing regulatory priority”. The ICO has been engaging with stakeholders and examining long-established internet practices through the prism of the ungainly GDPR/PECR combination and does not like what has come to light.
In the Guidance, the picture is challenging although there are a few areas where a degree of reassurance can be found, for example less intrusive analytics cookies are not top of the list of ICO enforcement priorities. In the Adtech Report, the ICO’s two prioritised areas of concern are (1) the processing of special category personal data without explicit consent and (2) the complexity of the data supply chain. Simon McDougall, the ICO’s Executive Director for Technology Policy and Innovation, has since cautioned that the Report is a “warning and wake-up call” to address what the regulator considers to be untenable practices, and that if fundamental changes aren’t made, it is “ready to respond and consider the full range of enforcement actions”.
Which law applies to cookies: PECR or the GDPR?
Potentially, both apply. PECR provides specific rules which organisations must follow when deploying cookies or similar technologies on “terminal equipment” like PCs or smart phones. When the ICO refers to “cookies”, it is also referring to local shared objects, “device fingerprinting” techniques, pixels, etc. The GDPR, of course, governs the processing of “personal data”. Cookies will often (but not inevitably) involve the processing of personal data, such as user authentication cookies which allow an individual to log on to their account at an online service. When PECR applies it takes priority over the GDPR (and the UK Data Protection Act 2018) and the ICO says that PECR should be considered first.
It was originally intended that a GDPR-era replacement for PECR would have been finalised at the EU level and applicable from 25 May 2018. The ePrivacy Regulation appears to have lost momentum, however, and significant compliance challenges come from the requirement to “retrofit” GDPR-standard requirements to PECR, for example “consent” for a non-essential cookie under PECR now has to be GDPR-standard consent. Similarly, the “clear and comprehensive information” PECR requirements now equate to the “fair processing information” requirements from Articles 13-14 of the GDPR.
What does the new Guidance say?
PECR states, in summary, that consent must be obtained for the storing (or accessing) of cookies on a user’s device unless those cookies are “strictly necessary” to provide a requested service or are required to allow “communication” between two parties over a network. The Guidance makes clear that in the ICO’s view:
What should be done now?
In the blog 3 “Cookies: what does ‘good’ look like?” the ICO’s Head of Technology Policy notes that for many organisations “more work will have to be done” to comply. The Guidance notes that, while regulatory action is always a possibility, it is unlikely that the ICO would consider cookies with a low level of intrusiveness as a priority, such as first party cookies used for analytics purposes, or those which support the accessibility of sites and services. Waiting for the EU ePrivacy Regulation to be finalised before reviewing a website’s cookie compliance post-GDPR is looking potentially risky. Organisations should therefore consider:
The ICO’s report on adtech and real time bidding
Of all the sectors to be affected by the GDPR, adtech has perhaps been one of the hardest hit. The confusing interplay between PECR and the GDPR is disproportionately problematic for a sector which depends so heavily on cookies. It has also been singled out by the ICO as a regulatory priority area and is the subject of a number of high profile complaints to the ICO made by privacy advocacy groups.
Broadly speaking, “adtech” refers to tools that analyse and manage information for online advertising campaigns and automate the processing of advertising transactions. Most obviously adtech powers the buying and selling of advertising inventory on a website. It has been clear for some time that the ICO has had the adtech industry firmly within its sights. The Adtech Report is a progress report and it is not guidance, although – slightly ominously – it indicates that the regulator does “not think these issues will be addressed without intervention”.
The Adtech Report focusses on so-called “real time bidding” (“RTB”), an auction process that is primarily used to sell visual advertising inventory on websites and apps (though it can also be used for other media such as audio and visual streaming). This “real time” auction occurs in a fraction of a second – in the time it takes for a website to load in a user’s browser. Publishers make space available on their platforms, ultimately to be filled by content from advertisers as a result of a successful bid on a per individual viewer basis. The process relies on publishers creating “bid requests”, as well as a series of intermediaries such as Data Management Platforms (DMPs) which may be involved in enriching the data about the potential viewer and tagging it with information known or inferred about that person, making the bid request more valuable. Adtech relies heavily on cookies and similar technologies to collect the data (including personal data) of the page visitor, which is then incorporated into the bid request before it is put out for auction.
Core issues highlighted by the Adtech Report
The ICO makes clear that it has chosen to investigate the RTB ecosystem because of its complexity and scale, alongside the risks that it poses to the rights and freedoms of individuals. The Adtech Report highlights:
What should those involved in online advertising do?
The Adtech Report will have implications for all participants in the adtech system, from website owners (publishers) to exchange providers, and ultimately to advertisers. Apart from publishers carrying out a cookie audit, organisations involved in adtech should now look to understand:
Away from PECR and the GDPR, organisations active in the adtech industry are facing scrutiny under competition law. In fact, the Competition and Markets Authority (“CMA”) announced on 3 July that it has launched a market study into digital advertising and “broad potential sources of harm to consumers” from online platforms. The CMA has stated that this will include a review of the way that organisations collect and use personal data. The ICO and the CMA have in place a memorandum of understanding setting out the procedure for cooperation between the two authorities, so it will be interesting to see the extent of coordination between them in relation to the outcome of the CMA’s study.
A regulator’s role is to enforce the law as it is, rather than the law as it was supposed to be enacted, or as it might one day become. It goes without saying that the present difficulties due to the delayed EU legislative reforms are not of any regulator’s making. The ICO’s engagement in the form of the Adtech Report and the ongoing dialogue with the sector is welcomed; not least because peremptory regulatory action could have devastating consequences for an industry that allows large amounts of online content to be provided at no monetary cost to the end user.
So, it is less than ideal to find ourselves on the cusp of the 5G era - with all its potential for boundless connectivity and the Internet of Things - with a dysfunctional regulatory framework. In this context, aspiring to compliance with the historic ePrivacy regime in tandem with the GDPR feels rather like swapping your horse for a car and still expecting it to run on hay.
Kate Brimsted is a Partner at Bryan Cave Leighton Paisner and is a member of their Data Privacy and Cyber Security team https://www.bclplaw.com/en-GB/people/kate-brimsted.html
Tom Evans is an associate at Bryan Cave Leighton Paisner and is a member of the Data Privacy and Cyber Security team https://www.bclplaw.com/en-GB/people/tom-evans.html
This article was first published on the BCLP website and is reproduced with permission