Cookie crumbs can cost millions!

What's happened?

The use of online cookies may seem quite trivial to organisations, and something which they may just leave to their website design team – that is of course, until the cookie ‘crumbles’ to give rise to the equivalent of multi-million-pound fines. This is something which has been evident in 2022, as privacy and data protection regulators around the world have already demonstrated why organisations should not be complacent in their use of cookies.

By way of example, Commission Nationale de l'Informatique et des Libertés (CNIL), which is the supervisory authority in France, and therefore acts as the regulator for data protection matters there (just as the ICO does in the UK), has issued fines for breaches of data protection laws relating to cookies. It imposed fines of €90 million to Google LLC, €60 million to Google Ireland Limited and €60 million to Facebook Ireland Limited.

The basis for the fines was due to certain websites (facebook.com, google.fr and youtube.com) offering a button allowing an individual to immediately 'accept' cookies on reaching the website, but not providing an equivalent mechanism (whether by way of a similar button or other option) to just as easily refuse the cookies. The CNIL noted that several clicks were required to refuse all cookies, whilst only a single step was required to accept them.

Furthermore, in the USA, there has recently been the first enforcement action under the California Consumer Privacy Act (CCPA), resulting in a $1.2 million settlement by the beauty products retailer, Sephora. As part of the enforcement action, there was a focus on how the retailer was processing and sharing personal information, including through cookies and other online technical mechanisms (such as tracking pixels), without putting in place appropriate transparency and effective opt-out mechanisms to reflect user choices. 

Implications

Although the examples mentioned above have been about foreign regulatory action, it is important for organisations to appreciate that no matter where they are based, they need to be acutely aware of the local law privacy and data protection regimes which they will be subject to, by their online activities.

In addition, the above examples have similarities with the UK regime. In the UK, the key privacy and data protection regimes which organisations need to be particularly mindful of, are the Privacy and Electronic Communications Regulations (which can give rise to fines of up to £500,000, albeit that the UK Government is looking to revise this upwards to align with the UK GDPR fine levels), as well as the Data Protection Act and the UK GDPR (which can give rise to fines of up to the greater of £17.5 million or 4% of total worldwide annual turnover). The UK laws, like the above foreign law examples, have an emphasis on: transparency of information provision to individuals, safeguards with regard to data sharing, and clear opt-in and subsequent opt-out mechanisms.

Key points for organisations

From a UK perspective, there are specific requirements with regard to the use of cookies which include:

• Consent to cookies being required to be freely given pursuant to informed consent, with some type of affirmative action being required to provide such consent, for example, through a tick box or toggle option.
• Individuals must be able to opt-out of cookies just as easily as they can opt-in.
• There needs to be clear, comprehensive and visible notices on the use of cookies, which comply with the UK privacy and data protection law transparency requirements.

How we can help

It should be noted that the UK Government’s proposals to change the law on cookies is still in a somewhat state of ‘flux’. Consequently, until the law changes, organisations need to continue to take all necessary steps to ensure that their cookies continue to comply with current laws. 

As part of this, we can assist organisations with (amongst other aspects):

• Advice regarding the use of cookies and other online behavioural analytics
• Preparing Cookies Notices
• Preparing Privacy Notices
• Drafting or reviewing data sharing agreements
• Undertaking Controller, Processor or Joint Controller assessments

Mills & Reeve’s national IT and data protection law team can assist your organisation with all of these and other legal requirements. We can also put you in touch with our network of foreign law firms, for foreign law advice where required.