Category Archives: cookies

January 24, 2025 · 7:27 am

Cookies, compliance and individuated consent

[reposted from my LinkedIn account]

Much will be written about the recent High Court judgment on cookies, direct marketing and consent, in RTM v Bonne Terre & Anor, but treat it all (including, of course, this, with caution).

This was a damages claim by a person with a gambling disorder. The claim was, in terms, that the defendant’s tracking of his online activities, and associated serving of direct marketing, were unlawful, because they lacked his operative consent, and they led to damage because they caused him to gamble well beyond his means. The judgment was only on liability, and at the time of writing this post there has been no ruling on remedy, or quantum of damages.

The domestic courts are not regulators – they decide individual cases, and where a damages claim is made by an individual any judicial analysis is likely to be highly fact specific. That is certainly the case here, and paragraphs 179-181 are key:

such points of criticism as can be made of [the defendant’s] privacy policies and consenting mechanisms…are not made wholesale or in a vacuum. Nor are they concerned with any broader question about best practice at the time, nor with the wisdom of relying on this evidential base in general for the presence of the consents in turn relied on for the lawfulness of the processing undertaken. Such general matters are the proper domain of the regulators.

In this case, the defendant could not defeat a challenge that in the case of this claimant its policies and consenting mechanisms were insufficient:

If challenged by an individual data subject, a data controller has to be able to demonstrate the consenting it relies on in a particular case. And if that challenge is put in front of a court, a court must decide on the balance of probabilities, and within the full factual matrix placed before it, whether the data controller had a lawful consent basis for processing the data in question or not.

Does this mean that a controller has to get some sort of separate, individuated consent for every data subject? Of course not: but that does not mean that a controller whose policies and consenting mechanisms are adequate in the vast majority of cases is fully insulated from a specific challenge from someone who could not give operative consent:

In the overwhelming majority of cases – perhaps nearly always – a data controller providing careful consenting mechanisms and good quality, accessible, privacy information will not face a consent challenge. Such data controllers will have equipped almost all of their data subjects to make autonomous decisions about the consents they give and to take such control as they wish of their personal data…But all of that is consistent with an ineradicable minimum of cases where the best processes and the most robust evidential provisions do not, in fact, establish the necessary presence of autonomous decision-making, because there is specific evidence to the contrary.

This is, one feels, correct as a matter of law, but it is hardly a happy situation for those tasked with assessing legal risk.

And the judgment should (but of course won’t) silence those who promise, or announce, “full compliance” with data protection and electronic marketing law.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, consent, cookies, Data Protection, GDPR, judgments, marketing, PECR, Uncategorized

Tagged as , ,

November 16, 2023 · 5:36 pm

I was stupid

I was stupid, I was naive: I thought that recent statements from senior people at the Information Commissioner’s Office (ICO) indicated a willingness to enforce against non-compliance in the use of cookies and cookie banners.

I was wrong. My recent complaint, published as an open letter to John Edwards, the Commissioner, not only took ten weeks to be allocated to a case worker, but, now, that case worker has told me, in terms, that they’re not interested:

we do not respond to cookie complaints individually…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation…Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK.

This leaves two things hanging: 1) the site I complained about is one of the most visited in the UK; 2) the website in question arguably “raises awareness” of cookies, but only insofar as it confounds, frustrates and obstructs the user, in a manner which, in my submission, contravenes ePrivacy and Data Protection law, and 3) fails to get users’ consent (as it is defined in those laws).

MLex(£) have now written about this, and have secured a quote from the ICO, which is more than I got, really:

It is an ICO priority to influence changes to online tracking practices to create a more privacy-oriented internet. Where users want personalized adverts they should have the choice to receive them. But where websites don’t give people fair choices over how their data is used we will take action to safeguard their rights.

Try as I might, I can’t square that, and the ICO’s previous public statements about taking firm action, with an approach which fails in any real way to engage with people who take the time and effort to make complaints. But, as I say, I was stupid and naive to think it might have been different.

I’ve now complained, in turn, about the ICO’s handling of my complaint (and made an FOI request), in these terms:

1. I made a complaint under Article 77 UK GDPR. You have not investigated that at all, let alone “to the extent appropriate” as you are required to do under Article 57(1)(f). 

2. My letter was addressed to John Edwards. Has he seen it? 

3. You say, “When consumers raise their complaints with us, we either conduct our own compliance check or write to the organisation.” Which have you done here? Please disclose information either in respect of the compliance check you undertook, or of the correspondence you sent to Associated Newspapers Ltd.

4. Frankly, your response is discourteous. I went to some effort to assist the ICO in its stated intention to investigate poor compliance with PECR, but your response gives no indication that you’ve even read the substance of my complaint.

5. Your letter contains no apology or explanation for the extensive delay in handling it, which falls outside your own service standards.

In seriousness, I find this all really disheartening. The gulf between what the ICO says and what it does is sometimes huge, and not necessarily appreciated by those who don’t work in the field.

But I will get back in my stupid box.

+++

For completeness’ sake, the full response from the caseworker was:

Thank you for your correspondence in which you have complained about Associated Newspapers Ltd and its use of cookies.

Complaints regarding cookies can be submitted to us through the following link: Cookies | ICO

In this case, I have forwarded the information you have provided to the appropriate department. Although we do not respond to cookie complaints individually, we use the information you send us to help us identify, investigate and take action against organisations causing you complaint. To do this, we work alongside other organisations and website owners.

Our approach is to focus on sites that are doing nothing to raise awareness of cookies, or get their users’ consent, particularly those visited most in the UK. When consumers raise their complaints with us,
we either conduct our own compliance check or write to the organisation. Our website provides further information about the action we’re taking on cookies.

Yours sincerely

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

6 Comments

Filed under adtech, consent, cookies, Information Commissioner, PECR, UK GDPR

Tagged as , , ,

September 10, 2023 · 2:38 pm

An open complaint to the ICO about MailOnline cookies

***UPDATE at 8 November***

There is no update. Nothing from the ICO at all, other than, at four weeks – after chasing – a message saying it’s taking six to eight weeks to allocate cases.

It’s now more than eight weeks.

***END UPDATE***

Dear Mr Edwards

In June this year Stephen Bonner told MLex that websites which

don’t have “reject all” on your top level [cookie banner]…are breaking the law. ..There is no excuse for that. The ICO is paying attention in this area and will absolutely issue fines if we see organizations are not taking that seriously and taking steps.

Subsequently, your office said to law firm Mishcon de Reya

Having a ‘reject all’ button on a cookies banner that is just as prominent as an ‘accept all’ button helps people to more easily exercise their information rights. The ICO is closely monitoring how cookie banners are used in the UK and invites industry to review their cookies compliance now. If the ICO finds that cookies banners breach the law, it will seriously consider using the full range of its powers, including fines.

Then, on 9 August, in conjunction with the Competition and Markets Authority, your office stated

One clear example of often harmful design are cookie consent banners. A website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them. Users should be able to make an informed choice on whether they want to give consent for their personal information to be used, for example, to profile them for targeted advertising. The ICO will be assessing cookie banners of the most frequently used websites in the UK, and taking action where harmful design is affecting consumers.

In view of all of these statements, I wish to complain, under Article 77 UK GDPR, and simultaneously request, under regulation 32 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), that you exercise your enforcement functions, in relation to the use of cookies and similar technology by Associated Newspapers Limited, or alternatively DMG Media (whichever is applicable) as controller of, and person responsible for confidentiality of communications on, the “MailOnline” website at https://www.dailymail.co.uk/home/index.html (the “Website”).

The Website presents a visitor using the Safari browser on an iPhone 11 Pro with a “cookie banner” (see attached screenshot) which does not offer visitors a “reject all” option.

Furthermore, the whole set-up is opaque. If one clicks “Cookie Settings” one is faced with an initially straightforward set of options (one of them set by default to accept cookies for personalised advertising on the basis of “legitimate interest”, which is clearly not compliant with regulation 6 of PECR). However, if one then clicks on the tab for “Vendors”, one is faced with a frankly farcically long list of such “vendors”, and options, many of them set by default to “legitimate interest”. I consider myself reasonably knowledgeable in this area, but it is far from clear what is actually going on, other than to say it plainly appears to be falling short of compliance with regulation 6, and, to the extent my personal data is being processed, the processing plainly appears to be in contravention of the UK GDPR, for want – at least – of fairness, lawful basis and transparency.

It is worth noting that much of MailOnline’s content is likely to be of interest to and accessed by children (particularly its sports and “celebrity news” content), even if the publisher does not actively target children. You state, in your guidance

if children are likely to access your service you will need to ensure that both the information you provide and the consent mechanism you use are appropriate for children.

But the complexity and opacity of the Website’s cookie use means that it is largely incomprehensible to adults, let alone children.

It is, obviously, not for me to specify how you undertake an investigation of my complaint, but you must, of course, by reference to Article 57(1)(f) UK GDPR, investigate to the “extent appropriate”. Given the clear messages your office has delivered about cookie banners and the like, and given the weight of evidence as to non-compliance, I would suggest an investigation to the extent appropriate must – at the very least – result in a clear finding as to legality, with reasons, and recommendations for the investigated party.

I cannot claim to be distressed by the infringements I allege, but I do claim to be irritated, and to have, cumulatively, been put to excess time and effort repeatedly trying to “opt out” of receiving cookies on the Website and understand what sort of processing is being undertaken, and what sort of confidentiality of communications exists on it.

Of course the Website here is not the only example of apparent non-compliance: poor practice is rife. Arguably, it is rife because of a prolonged unwillingness by your office and your predecessors to take firm action. However, if you would like me to refer to other examples, or require any further information, please don’t hesitate to ask.

Yours sincerely

Jon Baines

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, consent, cookies, Data Protection, Information Commissioner, PECR, UK GDPR

Tagged as , , , , ,

September 4, 2022 · 11:21 am

Breaking the code

Bletchley Park’s use of adtech means you can’t opt out of non-essential cookies and still access the website

I found this ironically sad.

Visit Bletchley Park’s website and one is presented with a cookie banner. If you’re like me you will deselect all but essential cookies – so no “preferences”, “statistics” or “marketing”

Regulation 6 of the Privacy and Electronic Marketing (EC Directive) Regulations 2003 (PECR) is behind this.

As much as one might find cookie banners annoying, they are a result of cookies being inherently intrusive. They are code placed on one’s terminal equipment; sometimes they are essential for a website’s functioning (in which case they can be placed without consent) and sometimes they are merely useful (but not essential) for the user or the operator – perhaps to get analytics, or remember preferences, or deliver targeted advertising (in which case user consent is required).

The problem with the Bletchley site is that if one refuses “non-essential” cookies (I tried on Edge, Chrome and Safari mobile), they turn out to be rather essential, because what one is left is this

I only spent a few minutes trying to work out if it was some clever puzzle you had to crack to gain access before I realised it was just poor configuration.

So, in fact, the non-essential cookies are actually essential.

I’m sure someone with some expertise in code can sort it out. It can’t be beyond the wit of those running Bletchley Park to configure a website so that it functions properly without interfering with visitors’ computers.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adtech, cookies, not-entirely-serious, PECR

Tagged as ,

June 17, 2022 · 11:17 am

Data reform – hot news or hot air?

I’ve written a piece for the Mishcon de Reya website on the some of the key proposals (for our client-base) in today’s data protection reform announcement.

Data protection law reform – major changes, but the (mishcon.com)

Leave a comment

Filed under adequacy, consent, cookies, Data Protection, Data Protection Act 2018, DPO, GDPR, Information Commissioner, international transfers, nuisance calls, PECR, UK GDPR

Tagged as , , , ,

September 7, 2021 · 7:24 am

ICO calls for global cookie standards (but why not enforce the law?)

The outgoing UK Information Commissioner, Elizabeth Denham, is calling on G7 countries to adopt her office’s new “vision” for websites and cookie consent.

Her challenge to fellow G7 data protection and privacy authorities has been issued at a virtual meeting taking place on 7 and 8 September, where they will be joined by the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF).

Denham says “There are nearly two billion websites out there taking account of the world’s privacy preferences. No single country can tackle this issue alone. That is why I am calling on my G7 colleagues to use our convening power. Together we can engage with technology firms and standards organisations to develop a coordinated approach to this challenge”.

What is not clear is whether her vision is, or can be, underpinned by legal provisions, or whether it will need to take the form of a non-enforceable set of standards and protocols. The proposal is said to mean that “web browsers, software applications and device settings [should] allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website”. The most obvious way of doing this would be through a user’s own browser settings. However, previous attempts to introduce something similar – notably the “Do Not Track” protocol – foundered on the lack of adoption and the lack of legal enforceability.

Also unaddressed, at least in the advance communications, is why, if cookie compliance is a priority area for the Information Commissioner, there has been no enforcement action under the existing legal framework (which consists primarily of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (or “PECR”)). Those current laws state that a website operator must seek consent for the placing of all cookies unless they are essential for the website to function. Although many website operators try hard to comply, there are countless examples of ones who don’t, but who suffer no penalty.

Denham says that “no single country can tackle this alone”, but it is not clear why such a single country can’t at least take steps towards tackling it on domestic grounds. It is open to her to take action against domestic website operators who flout the law, and there is a good argument that such action would do more to encourage proper compliance than will the promotion or adoption of non-binding international standards.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under cookies, Data Protection, Information Commissioner, marketing, PECR

Tagged as ,

March 4, 2015 · 4:26 pm

A cookie for your health problems

Imagine this. You enter a shop (let’s call it Shop A) to browse, and you look at an item of interest (let’s call it Item Q). While you do so, an unbeknown to you, a shop assistant places a sticker on your back, revealing that you looked at this item, and when and where. You leave and a few days later enter another shop, where a shop assistant says “I understand a few days ago you were interested in Item Q, here are some similar items you might be interested in”.

You might initially think “how helpful”, but afterwards you might start to wonder how the second shop knew about your interest, and to think that it’s a bit off that they seemed to have been able to track your movements and interests.

But try this as well. You go to your doctor, because you’re concerned about a medical condition – let’s say you fear you may have a sexually transmitted disease. As you leave the doctor secretly puts a sticker on your back saying when and where you visited and what you were concerned about. You later visit a pharmacy to buy your lunch. While you queue to pay an assistant approaches you and says openly “I understand you’ve been making enquiries recently about STDs – here are some ointments we sell”.

The perceptive reader may by now have realised I am clunkily trying to illustrate by analogy how cookies, and particularly tracking cookies work. We have all come to curse the cookie warning banners we encounter on web sites based in Europe, but the law mandating them (or at least mandating the gaining of some sort of consent to receive cookies) was introduced for a reason. As the Article 29 Working Party of European Data Protection Authorities noted in 2011

Many public surveys showed, and continue to show, that the average internet user is not aware that his/her behaviour is being tracked with the help of cookies or other unique identifiers, by whom or for what purpose. This lack of awareness contrasts sharply with the increasing dependence of many European citizens on access to internet for ordinary everyday activities

The amendments to the 2002 EC Directive, implemented in domestic law by amendment regulations to the The Privacy and Electronic Communications (EC Directive) Regulations 2003 aimed to ensure that there was “an adequate level of privacy protection and security of personal data transmitted or processed in connection with the use of electronic communications networks” (recital 63). And Article 5 of the Directive specified that

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC [the 1995 Data Protection Directive], inter alia, about the purposes of the processing

Of course, the requirement that users of electronic communications networks should give consent to the storing of or gaining access to information stored in their terminal equipment (i.e. that they should consent to the serving of cookies) has not been an easy one to implement, and even the Information Commissioner’s Office’s in 2013 rowed back on attempts to gather explicit consent, claiming that there was now no need because people were more aware of the existence of cookies. But I made what to me was an interesting observation recently when I was asked to advise on a cookie notice for a private company: it appeared to me, as I compared competitors’ sites, that those which had a prominent cookie banner warning actually looked more professional than those that didn’t. So despite my client’s wariness about having a banner, it seemed to me that, ironically, it would actually be of some professional benefit.

I digress.

Just what cookies are and can achieve is brought sharply home in a piece on the Fast Company website, drawing on the findings of a doctoral research student at the University of Pennsylvania. The paper, and the article, describe the use of web analytics, often in the form of information gathered from tracking cookies, for marketing in the health arena in the US. Tim Libert, the paper’s author discovered that

over 90% of the 80,000 health-related pages he looked at on the Internet exposed user information to third parties. These pages included health information from commercial, nonprofit, educational, and government websites…Although personal data is anonymized from these visits, they still lead to targeted advertisements showing up on user’s computers for health issues, as well as giving advertisers leads (which can be deciphered without too much trouble) that a user has certain health issues and what issues those are

The US lacks, of course, federal laws like PECR and the DPA which seek – if imperfectly – to regulate the use of tracking and other cookies. But given that enforcement of the cookie provisions of PECR is largely non-existent, are there similar risks to the privacy of web users’ health information in the UK?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, cookies, Data Protection, PECR

Tagged as , ,