New standards for the use of website ‘cookies’ and similar technologies have been published by the Information Commissioner’s Office.
The Privacy and Electronic Communications Regulations (PECR) also cover an organisation’s access to information stored via such technologies on equipment such as a computer or mobile device.
According to legal firm DLA Piper the General Data Protection Regulation has indirectly imposed higher standards for cookie usage – in particular what constitutes valid consent and transparency.
The firm says the key takeaways for care homes with websites are as follows:
- That consent obtained for the purposes of setting cookies must be ‘consent’ as defined by the GDPR. What this means in practice is:
- a clear positive action – continuing to browse the website is not valid;
- granularity – the ability to consent to cookies used for some purposes, but not others; and
- no pre-ticked boxes or sliders set to ‘on’ – the default option for non-essential cookies must be ‘off’.
- A strong indication that, if consent is required to set the cookie under PECR, then consent should also be the lawful basis under the GDPR for the collection of any personal data by the cookie. Obtaining a cookie consent but citing ‘legitimate interests’ as the GDPR basis will in most cases not be possible.
- In many cases, consent should also be the GDPR basis for the subsequent processing of personal data after its initial collection by the cookie – particularly if that processing is for the purposes of profiling, behavioural analysis or targeted advertising.
- ‘Cookie walls’ (i.e. conditioning access to a site or service on consent to certain cookies) are prohibited if they prevent access to the website in general. However, it may be possible to condition access to specific services on consent to certain cookies.
- ‘Settings-led’ or ‘features-led’ consent may be possible – where the choice to use particular settings or features (e.g. choosing local language website version) is integrated with consent to the supporting cookies, provided this is explained clearly.
- Subscribers vs. users – in some circumstances, it may be appropriate to accept the cookie preferences of the telecommunications subscriber over those of the user. For example, an employer (the subscriber) mandating particular settings on a work device issued to an employee (the user).
- The obligation to provide information about the purposes for which cookies are used must align with GDPR transparency standards (i.e. “concise, transparent, intelligible and easily accessible form, using clear and plain language“). Many cookie policies and pop-up notices will fail this standard.
- Companies setting third party cookies (commonly used for advertising (re)targeting and tracking purposes) must be specifically named.
- The exemptions from the requirement for cookie consent under PECR become much more significant, given that they represent a ‘safe harbour’ from these stricter requirements. There is helpful, detailed guidance on the types of cookies which may benefit from the ‘communication’ and ‘strictly necessary’ exemptions.
- User preferences have a shelf life – after a period of time website operators should re-consent their users. It is unclear how to determine a reasonable period of time in practice.