Ben Nolan and Stephen Sidkin of Fox Williams LLP discuss cookies and what online retailers need to do to comply.
When a consumer views clothing on your website, will they see it on their newsfeed next time they log in to their Facebook or Instagram account?
If so, do you know whether you are complying with the law when using the cookies and tools (such as the Facebook pixel) which result in this happening? A quick check online shows some of the UK’s largest retailers are not complying with the rules.
For some time, the position as to the use of cookies and similar technologies was unclear; particularly following the introduction of the General Data Protection Regulation (GDPR). However, recent guidance from the UK’s data protection regulator (ICO Guidance) has helped highlight certain key issues.
The key points to note from the ICO Guidance are as follows:
1. Clarification of the “strictly necessary” exemption
Cookies which are “strictly necessary” do not require user consent. This means the use of the cookie must be “essential” for the provision of the requested service or to ensure compliance with applicable law. An example of cookies that benefit from this exemption include those which remember the goods in a user’s basket.
Unsurprisingly, the ICO Guidance clarifies that advertising cookies such as the Facebook pixel, which are commonly used by retailers and allow them to target users online, are not considered to be “strictly necessary”. Performance cookies such as Google Analytics also fall outside the strictly necessary exemption.
2. Clear and comprehensive information
The ICO Guidance emphasises the need to provide users with clear information concerning the use of cookies in line with the GDPR’s transparency requirements. This means online retailers need to review and update their cookies policies, ensuring they are sufficiently clear and easily accessible to a normal user.
3. The standard of consent is high
The ICO confirmed the standard of consent for using cookies is the same as that set out under the GDPR; even for cookies that do not involve the processing of personal data.
This means that implied consent can no longer be relied on for cookies. Websites that use non-essential cookies without specifically requiring users to consent to these when accessing a site (e.g. by specifying that continued use entails consent) are therefore not compliant. Accordingly, turn off non-essential cookies by default.
Take-home points
- If past history is anything to go on, it would be reasonable to expect the ICO to seek to make examples of businesses that do not comply in the future. Meanwhile, the ICO is currently receiving a large number of complaints in relation to cookies. This could result in bad publicity for the retailers concerned on social media.
- Irrespective of the above potential ICO fines and bad publicity, retailers are being trolled by some individuals who are bringing court cases claiming infringement of data protection law and forcing retailers to settle out of court by paying them off.
Ben Nolan is an associate and Stephen Sidkin is a partner at Fox Williams LLP
www.fashionlaw.co.uk
www.foxwilliams.com
www.idatalaw.com
© 2019 Fox Williams LLP