The interaction between the General Data Protection Regulation (2016/679) (“GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (“PECR”) has been vexing for some time now.
One central message from these documents is that any notion of a regulatory enforcement amnesty pending the arrival of a new EU ePrivacy Regulation should be discounted - cookies are being singled out as “an increasing regulatory priority”. The ICO has been looking for some time at long-established internet practices through the prism of the ungainly GDPR/PECR combination, has started to engage with stakeholders and does not like what has come to light. In the Guidance, the picture is challenging although there are a few areas where comfort can be drawn, e.g. less intrusive analytics cookies are not top of the list of enforcement priorities. In the Adtech Report, the ICO’s two prioritised areas of concern are (1) the processing of special category personal data without explicit consent and (2) the complexity of the data supply chain. The regulator appears to be firing a “shot across the bows” noting that, while the information gathering continues, the ICO expects data controllers in the adtech industry to re-evaluate their approach to privacy notices, the use of personal data and the lawful grounds being relied upon under GDPR.
Potentially, both apply. PECR provides specific rules which organisations must follow when deploying cookies or similar technologies on “terminal equipment” like PCs or smart phones. When the ICO refers to “cookies”, it is also referring to local shared objects, “device fingerprinting” techniques, pixels, etc. The GDPR, of course, governs the processing of “personal data”. Cookies will often (but not inevitably) involve the processing of personal data e.g. user authentication cookies which allow an individual to log on to their account at an online service. When PECR applies it takes priority over the GDPR (and the UK Data Protection Act 2018) and the ICO says that PECR should be considered first.
It was originally intended that a GDPR-era replacement for PECR would have been finalised at the EU level and applicable from the 25th of May 2018. The ePrivacy Regulation appears to have lost momentum, however, and significant compliance challenges come from the requirement to “retrofit” GDPR-standard requirements to PECR, e.g. “consent” for a non-essential cookie under PECR now has to be GDPR-standard consent. Similarly the “clear and comprehensive information” PECR requirements now mean “fair processing information” requirements from Articles 13-14 of the GDPR.
PECR states, in summary, that consent must be obtained for the storing of cookies unless those cookies are “strictly necessary” to provide a requested service, or are required to allow “communication” between two parties over a network. The Guidance makes clear that in the ICO’s view:
In the blog “Cookies: what does ‘good’ look like?” the ICO’s Head of Technology Policy notes that for many organisations “more work will have to be done” to comply. The Guidance notes that - while regulatory action is always a possibility - it is unlikely that the ICO would consider cookies with a low level of intrusiveness as a priority, e.g. first party cookies used for analytics purposes, or those which support the accessibility of sites and services. What seems clear is that waiting for the EU ePrivacy Regulation before reviewing your website’s cookie compliance post-GDPR could be a risky proposition. Organisations should therefore consider:
Of all the sectors to be affected by the GDPR, adtech has perhaps been one of the hardest hit. The confusing interplay between PECR and the GDPR is disproportionately problematic for a sector which depends so heavily on cookies. It has also been singled out by the ICO as a regulatory priority area and the subject of a number of complaints to the ICO made by privacy advocacy groups.
Broadly speaking, “adtech” refers to tools that analyse and manage information for online advertising campaigns, and automate the processing of advertising transactions, e.g. the buying and selling of advertising inventory on a website. It has been clear for some time that the ICO has had the adtech industry firmly within its sights. The Adtech Report is a progress report; it is not guidance, although it indicates that the regulator does “not think these issues will be addressed without intervention”.
The Adtech Report focusses on so-called “real time bidding” (“RTB”), an auction process that is primarily used to sell visual advertising inventory on websites and apps (though it can also be used for other media such as audio and visual streaming). This “real time” auction occurs in a fraction of a second – in the time it takes for a website to load in a user’s browser. Publishers make space available on their platforms, ultimately to be filled by content from advertisers as a result of a successful bid on a per individual viewer basis. The process relies on publishers creating “bid requests”, as well as a series of intermediaries such as Data Management Platforms (DMPs) which may be involved in enriching the data about the potential viewer and tagging it with information known or inferred about that person, making the bid request more valuable. Adtech relies heavily on cookies and similar technologies to collect the data (including personal data) of the page visitor, which is then incorporated into the bid request before it is put out for auction.
The ICO makes clear that it has chosen to investigate the RTB ecosystem because of its complexity and scale, alongside the risks that it poses to the rights and freedoms of individuals. The Adtech Report highlights:
The Adtech Report will have implications for all participants in the adtech system, from website owners (publishers) to exchange providers, and ultimately to advertisers. Apart from publishers carrying out a cookie audit, organisations involved in adtech should now look to understand:
Away from PECR and the GDPR, organisations active in the adtech industry are facing scrutiny under competition law. In fact, the Competition and Markets Authority (“CMA”) announced on 3 July that it has launched a market study into digital advertising and “broad potential sources of harm to consumers” from online platforms. The CMA has stated that this will include a review of the way that organisations collect and use personal data. The ICO and the CMA have in place a memorandum of understanding setting out the procedure for cooperation between the two authorities, so it will be interesting to see the extent to which any action taken is coordinated.
A regulator’s role is of course to enforce the law as it is, rather than the law as it was supposed to be enacted or as it might one day become and undoubtedly, the situation caused by the delayed EU legislative reforms is not of any regulator’s making. Finding ourselves on the cusp of the 5G era, with all the associated potential for the Internet of Things, whilst accompanied by a dysfunctional regulatory framework is less than ideal. Expecting compliance with the historic ePrivacy regime alongside the GDPR feels rather like swapping your horse for a car and still expecting it to run on hay.