Firstly, this is legal information about cookie consent, not legal advice…
The judgement of the CJEU case C-673/17 is now doing the rounds and as one has come to expect when it comes to Data Protection recently, there is a lot of hot air and bluster about what the ruling means. Is this some form of paradigm shift in the way data protection law must now be interpreted? Does everyone have to completely revamp their websites? Well no, not really! If you were doing cookies right before the C-673/17 judgement, you’re still doing it right now.
Basically, not much has changed. The case has simply clarified the current law. If your website uses third-party analytics cookies for marketing purposes, then you must obtain GDPR level consent prior to dropping those cookies on the visitor’s device. You are not permitted to use a pre-ticked opt-in, even if the visitor can still choose to opt-out. You must also provide information on how long that cookie will remain on the visitor’s device and who will have access to that cookie.
Cookie Consent – Do I need to do anything differently?
Maybe. It depends what you’re doing currently in regards to obtaining cookie consent. The following practices in regards to the use of third party analytics cookies were already law but have now been further clarified in the C-673/17 case:
- Placing third-party cookies (e.g. Google Analytics) on a visitor’s device without prior consent is unlawful.
- Placing third-party cookies on a visitors device with pre-ticked consent (e.g. offering an opt-out) is unlawful.
- Not telling the visitor how long those cookies will persist (i.e. if the user doesn’t delete them unilaterally) is unlawful.
- Not telling the visitor which third parties have access to those cookies is unlawful.
- In the above circumstances, it does not matter whether the data in the cookie constitutes personal data.
A website in contravention to any of the above carries an increased Regulatory risk.
Ok, so I’m clear on third party analytics cookie consent, what about first-party analytics cookies?
First party analytics are those a site owner hosts themselves for internal purposes only. These cookies are not controlled by an external/third party to the site owner. An example of this could be the self-hosted use of Matomo. These analytics may be used to understand user demand, so as to scale a site up/down when an article goes viral or; to support usability issues such as making sure a site renders properly in new browsers and devices. The thing is only strictly necessary cookies can be dropped on a visitor’s device without prior consent. But what is a ‘strictly necessary’ cookie? The definition is open to interpretation.
Whilst the black letter law provides a consent exemption for ‘strictly necessary’ cookies it is pretty grey as to whether first-party analytics cookies fall within the exemption. That said the Article 29 Data Protection Working Party opinion paper on cookie consent exemption is pretty clear – they opine such cookies are not covered by the exemption. This opinion, however, has is yet to be tested in the courts. The Working Party paper did accept that those first-party cookies are distinguishable from third-party cookies. This is because such cookies are low in privacy risk and pretty helpful to site owners in providing an improved experience to site visitors. The Working Party went on to opine that:
“Should article 5.3 of the Directive 2002/58/EC be re-visited in the future, the European legislator might appropriately add a third exemption criterion to consent for cookies that are strictly limited to first-party anonymized and aggregated statistical purposes.”
Well as some of you may know, the Directive has been revisited. In this regard, the current proposal for the new e-Privacy Regulation, specifically in Article 8.1.(d), confirms that legislators did see fit to propose such an exemption. The current exemption wording is:
“if it is necessary for web audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user.”
So, until the new Regulation is ratified, even first-party analytics, no matter how helpful may require prior consent…unless the site owner wants to take a risk in the untested waters. That said, under GDPR these first-party analytics may already be deemed ‘strictly necessary’ in certain lawful bases, say for the performance of a contract. This interpretation has also yet to be tested in the courts. Is it a risk worth taking, that’s up to site owners to determine. If site owners are using third-party analytics unlawfully, you now know what you need to do! If you need help with any aspect of Data Protection compliance, get in contact!
About the Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning